CPA BEC Module 2
Principle #8 of COSO's 17 principles (see the "17 Principles of Internal Control" lesson) states:-_________
"The organization considers the potential for fraud in assessing risks to the achievement of objectives."
Corporate and Criminal Fraud Accountability SOX contained several provisions to increase criminal penalties and other forms of accountability for financial fraud and other wrongdoing. Many of those were contained in Title VIII. Section 802 responded directly to the decision of accounting firm Arthur Andersen to shred two tons of Enron documents once it learned that it was being investigated by the SEC for potential wrongdoing in connection with its audits of Enron. This resulted in two new criminal statutes. Destruction, alteration, or falsification of records in federal investigations and bankruptcy—One statute subjects to fine and/or imprisonment of not more than 20 years anyone who "knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any agency or department of the United States" or in any bankruptcy case filed under Chapter 11. Obviously, this provision punishes obstruction of justice beyond just SEC proceedings. Destruction of corporate audit documents—The second statute, as supplemented by SEC rule, requires_________________
"any accountant" who audits a public company to "maintain all audit or review workpapers" for seven years after the conclusion of the audit.
Defining and Categorizing Fraud COSO defines fraud as _________(COSO Executive Summary)
"any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain"
Managing ERM includes focus on the following elements of an organization Integrating with strategy-setting and performance—ERM must be integrated with an organization's strategy, mission, and performance goals. Managing risk to strategy and business objectives—Well-designed and implemented ERM provides an entity with a ______Reasonable expectations of achieving goals are not guarantees of success. Unforeseen events will occur; risks cannot be predicted with certainty. However, the chances of success increase to the extent that an organization regularly reviews and revises its ERM practices to changing conditions.
"reasonable expectation" (see definition in Section IV of this lesson) of achieving strategic goals.
Fraud Risk Management Principles COSO's five fraud risk management principles (see diagrams below illustrating these principles) Principle 3—Control Activities The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.Focal points:Promote fraud deterrence through preventive and detective controls.Control activities should consider ___ ___ ___ ___ ___ ___ ___
(a) Organization- and industry-specific factors. (b) Applying controls to differing organizational levels. (c) Risk of management override of controls. (d) Integration with fraud risk assessments. (e) Multiple, synergistic fraud control activities (e.g., a defense-in-depth strategy). (f) Proactive data analytics procedures, such as identification of anomalous transactions .(g) Control through policies and procedures.
-
-
Summary: The Five Components and 20 Principles of Risk Management Governance and Culture ______ ______ ____ ______ _______ _____________ 6. Analyzes Business Context—The organization considers potential effects of business context on risk profile. 7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value. 8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile. 9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy. Performance 10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives. 11. Assesses Severity of Risk—The organization assesses the severity of risk. 12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks. 13. Implements Risk Responses—The organization identifies and selects risk responses. 14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk. Review and Revision ________ ________ _______ Information, Communication, and Reporting 18. Leverages Information Systems—The organization leverages the entity's information and technology systems to support enterprise risk management. 19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management. 20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.
1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. 2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives .3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity's desired culture .4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity's core values. 5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives. Strategy and Object setting 15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives. 16. Reviews Risk and Performance—The organization reviews entity performance and considers risk. 17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.
Misleading auditors—SOX Section _______ makes it a crime for any officer, director, or person acting under their direction to violate SEC rules by fraudulently influencing, coercing, manipulating, or misleading an auditor for the purpose of rendering financial statements misleading. Clawbacks— Section ________ provides that if an issuer must materially restate its financial statements as a result of "misconduct," which apparently need not be intentional, the CEO and CFO shall reimburse the company for bonuses received due to the misstatement and for any profits they realized from sale of the company's stock during that period.
303 304
Establish Operating Structures—The organization establishes operating structures that support the strategy and business objectives. Authority and Responsibility—In entities with one board of directors, management designs and implements practices to achieve strategy and objectives. In entities with dual-board structures, a supervisory board focuses on long-term strategy and oversight while the management (or executive) board oversees daily operations. Risk management is improved when______ ______ _______
:Management delegates responsibility only as required to achieve objectives.Management identifies transactions that require review and approval.Management identifies and assesses new and emerging risks.
Fraud Risk Management Principles COSO's five fraud risk management principles (see diagrams below illustrating these principles) Principle 1—Control Environment The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Focal points include _____ _____ _____
:Map fraud risk program to organizations' goals and risks. Establish fraud risk governance roles and responsibilities throughout the organization. Document program and communicate throughout organization.
Communicate Risk Information—The organization uses communication channels to support ERM. Important internal communications from management include _____ _____ _____ _____ _____
:The entity's strategy, business objectives, and performance expectations .Desired behaviors and core values that define the entity's culture .The value and importance of ERM .The entity's risk appetite and tolerance. Expectations related to cases of ERM weakness, degradation, or failure.
Embracing a Risk-Aware Culture—A risk-aware culture includes: Strong leadership endorsement of risk awareness and appropriate tone. A participative management style that encourages employees to discuss risks to the strategy and objectives. This includes open and honest discussions about risk. ______ ______
Aligning risk awareness with behaviors and performance evaluation, including salary and incentive programs that align with the organization's core values. Encouraging risk awareness across the entity, including awareness that risk awareness is critical to success and survival.
Financial expert—Because boards of directors during the Enron era often were not up to the task of detecting even massive accounting frauds, SOX's Section 407 requires that at least one member of the audit committee be a "financial expert." The SEC has issued rules defining an "audit committee financial expert" to means someone with the following attributes:____ ____ ___ ___ ____
An understanding of GAAP and financial statements An ability to assess the general application of these principles in connection with accounting for estimates, accruals, and reserves Experience preparing, auditing, analyzing, or evaluating financial statements that present a breadth and level of complexity comparable to those presented by the issuer's financial statements, or experience actively supervising persons engaged in such activities An understanding of internal controls and procedures for financial reporting An understanding of audit committee functions
Report on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity Reporting on culture is challenging since measuring culture is a complex task. Reports about culture may include: ___________
Analytics of cultural trends (e.g., number and significance of reports to a whistleblower hotline), benchmarking within an industry or to a standard, compensation systems and their implications for behavior, "lessons learned" analyses, reviews of trends in behavior (e.g., downtime due to worker errors), and surveys of risk attitudes and awareness.
What Is the Board of Director's Role in ERM? The board of directors provides oversight of organizational ERM including reviewing, challenging, and concurring with management on: Proposed strategy and risk appetite (see the definition below). Aligning strategy and objectives with the entity's mission and core values. Major business decisions including mergers, acquisitions, capital allocations, funding, and dividend-related decisions. Responding to significant fluctuations in entity performance or the entity's portfolio risk assessment. Responding to deviations from core values including fraud. ____ ____ _____
Approving management incentives and compensation. Engaging in managing investor and stakeholder relations. Creating and sustaining an organizational culture that enables responsible risk taking and risk management.
Opportunities to improve ERM may arise in any of the following areas:The three are examples of what? For example, through review, an organization determines that employees are not reading emails related to monitoring emerging risks. In response, the organization works with supervisors to highlight the relevance of these communications; in addition, it moves the most important of these communications to the organization's instant messaging system. .For example, a global shipping organization discovers during a benchmarking exercise that operations in Asia are performing far below its major competitor. As a result, it reviews and revisits its strategy and objectives to increase its performance in Asia. For example, a software company that makes a mobile app for retailers (i.e., a rapidly changing market and industry) will have more frequent opportunities to improve its ERM processes than a company in the metal wholesaling business (i.e., which buys and delivers metal for manufacturing), a currently stagnant industry.
Communications—Reviewing performance can identify outdated or inadequate communication processes. Peer Comparison (Benchmarking)—Reviewing industry peer data may provide insight into industry performance tolerance (i.e., the range of acceptable outcomes). Rate of Change—Management must consider the rate of business context change and disruption.
Fraud Risk Management Principles COSO's five fraud risk management principles (see diagrams below illustrating these principles) Principle 5—Monitoring Activities The organization selects, develops, and performs ongoing evaluations to ascertain presence of the five principles of fraud risk management and functioning and communicates fraud risk management program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. Focal points: ____ _____ ______
Consider:Ongoing and separate evaluation.Influences on scope and frequency of monitoring (e.g., changing fraud risks, personnel changes).Known and emerging fraud cases. Establish appropriate management criteria. Evaluate, communicate, and remediate deficiencies identified through monitoring.
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. More specifically, the entity uses operating structures to identify new and emerging risks to enable timely responses. Such risks may arise from: A change in business objectives (e.g., the entity adopts a new strategy) A change in business context. For example, a change in:__________&_________ Discoveries. For example, the discovery of detrimental environmental effects from fracking (i.e., the process of injecting liquid at high pressure into subterranean rocks to obtain oil or gas) Cascading effects from previous changes. For example, a significant increase in sales results in inadequate production quantity and capacity.
Customer preferences for digital or environmentally friendly products Regulation that results in new requirements for the entity
A Data Analytics Plan to Support Fraud Risk Management Analytics design—Assess fraud risk (described previously); map risks to data sources and data availability; create work plan, timeline, and deliverables. Data collection—Map data to planned analytics tests, validate data. Data organization and calculation—Execute work plan; adapt analytics to available data;, consider using advanced analytics including text mining, statistical analysis, and pattern analysis. ____ _____
Data analysis—Evaluate analytics results. Develop and implement scoring models to prioritize risks. Adapt and tune the model to improve relevance and accuracy of results. Findings, observations, and remediation—Request supporting documents to assist in making results actionable. Determine triage and escalation procedures to determine report levels (lower level, mid-level, top management?), develop remediation plan for identified issues.
Leverage Information Systems—The organization leverages the entity's information and technology systems to support enterprise risk management. Effective data management includes three key elements:
Data and information governance includes governance processes for identifying data and risk owners and holding them accountable. Processes and controls help an entity create and maintain reliable data. For example, organizations may have processes to identify instances and patterns of both low- and high-quality data and whether that data meets requirements and standards (e.g., the accuracy of posted transactions). Managing data requires more than using processes and controls to ensure its quality. It also involves preventing issues of quality from occurring in the first place through strong governance processes. Data management architecture refers to the fundamental design of the technology and related data. It includes models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization.
According to the SEC, a person may gain these aforementioned attributes of a "financial expert" through: ____ ____ ____
Education and experience as a principal financial officer, principal accounting officer, controller, public accountant or auditor, or experience in one or more positions that involve the performance of similar functions; Experience actively supervising such a person; or Other relevant experience.
___________—The culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Enterprise risk management
Fraud Risk Management Principles COSO's five fraud risk management principles (see diagrams below illustrating these principles) Principle 4—Information and Communication The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud. Focal points: ____ ___ ___ ___ ___
Establish fraud investigation and response protocols .Conduct and document investigations. Communicate investigation results. Implement corrective actions. Evaluate investigation performance.
Why is ERM Important? What is the organizational vlaue?
Expanding opportunities Identifying and managing entity wide risk increasing positive and reducing negative outcomes Reducing performance variability Better deploying assets Increasing enterprise resilience
Data Analytics Tools to Support Fraud Risk Management Data stratification—Sort or categorize data, including payments, journal entries, surveys, or employee data. Risk scoring—Weight, aggregate, and compare fraud risk factors. Data visualization—Detect changes and trends, e.g., a fraud risk assessment heat map, a fraud dashboard. Trend analysis—Analyze data over time and across locations (e.g., ratio analysis over time or across locations). ____ ____ ____
Fluctuation analysis—Detect anomalies (e.g., unusual transactions, missing but expected transactions). Statistical analysis and predictive modeling—Often used with continuous auditing and monitoring systems. Integrating external data sources—e.g., emerging fraud risks, industry trends, regulatory actions, economic indicators (e.g., the Consumer Price Index).
________—The allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. Some aspects of governance fall outside ERM (e.g., board member recruiting and evaluation; developing the entity's mission, vision, and core values).
Governance
COSO's Risk Management Framework The ERM framework includes five components and 20 principles. These are illustrated below and discussed in this and the next lesson, "ERM Governance and Culture." The five components of the ERM framework are ____ ____ ____ ____ ____
Governance and culture Strategy and Objective setting Performance Review and revision Information, Communication and reporting
Review Risk and Performance—The organization reviews entity performance and considers related risks. Periodically, organizations must review their ERM capabilities and practices. Such reviews seek answers to questions such as: ___ _____ _____ ______
How has the entity performed What risk influence performance Is the entity taking sufficient risk to attain its target Were risk estimates accurate
The COSO fraud risk management framework includes a framework for using data analytics to prevent, detect, and investigate fraud. Data analytics can address all aspects of the fraud triangle:_____ _____ _____
Incentive and pressure—Data analytics can help identify management practices and business processes that encourage employees to bypass or circumvent controls including risks of rogue behavior and excessive spending. Opportunity—Data analytics can help prevent fraud through monitoring (i.e., confirmation of) key controls. Continuous auditing of key controls is often possible through data analytic tools. Attitudes and rationalization—Data analytics can deter fraud by causing mountebanks (fraudsters) to not engage in fraud because they know of monitoring programs, and, by detecting communications that indicate fraudulent activity.
Asses organizational risk Risk assessment should consider: ____ ____ _____
Inherent risk (i.e., the risk in the absence of efforts to address it); Target residual risk (i.e., the desired amount of risk after actions to address it); and Actual residual risk (i.e., the realized risk after taking actions to address it).
Fraud Risk Management Principles COSO's five fraud risk management principles (see diagrams below illustrating these principles) Principle 2—Risk Assessment The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. Focal points for the risk assessment include: Managing the risk assessment process: _____ ______ _____ Risk assessments: Analyze internal (i.e., types of activities) and external (customers, vendors, environment) risks. Consider risks of distinct types of fraud (see earlier four categories of fraud). Consider the risk of management override of controls. Estimate the likelihood and significance of identified risks. Assess personnel and departments in relation to the fraud triangle (opportunity, incentives and pressure, attitudes or rationalizations). Fraud controls and their effectiveness:_____ )))))
Involve appropriate management, including all organizational management levels and functions. Use data analytics to assess risks and evaluate responses .Periodically reassess fraud risk .Document risk assessment. Identify existing fraud controls and their effectiveness.Determine risk responses.
___________—Leading (predictive) indicators of emerging risks.
Key risk indicators (KRIs)
Enforcing Accountability for Actions—This includes documenting and adhering to policies for accountability. Accountability is in evidence when: Management and the board of directors clearly communicate expectations of accountability. ________ _________ _____
Management communicates risk information throughout the organization. Employees commit to business objectives, including individual targets and performance within the entity's objectives. Management responds to deviations from standards and behaviors as appropriate (including terminations and correction actions, as needed).
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. Culture and Desired BehaviorInternal and external factors influence organizational culture:Internal influences include:)))) ______ ______ ______
Management judgment The level of autonomy provided to employees, employee and management interactions (e.g., formal vs. informal) Physical layout of the workplace (e.g., decentralized, centralized, or virtual) System of rewards, recognition, accountability, and compensation
Role of Risk in Strategy Selection— Three risks exist in strategy selection and implementation: Risk #1—_________. Does our strategy align with our mission, vision, and core values?An organization or its executives may engage in behaviors that are inconsistent with the organization's values. For example, Enron's Code of Ethics (easily findable online) included many lofty statements about Enron's outstanding reputation for fairness and honesty. This is a slam-dunk example of a deceitful strategy (cheat shareholders and customers) misaligning with a lofty mission and values statement. Risk #2—_______-. Do we understand the risk implications of our chosen strategy?Every strategy has its own risk profile. Identifying and quantifying these risks is a part of matching the strategy with the organization's risk appetite. Identifying and quantifying risk—as a portfolio view of risk (discussed in the "ERM and Performance" lesson)-is challenging but essential to understanding the risk profile of the strategy chosen. Risk #3—______. Will we be successful? Will we achieve the goals specified in our strategy? What are the influences on the viability of our strategy? (This is the least important of the three risks.)
Misalignment Implications Risks to Success
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. Disruptive (substantial) effects may also occur from events or circumstances. Examples of potentially disruptive effects include: Emerging technologies (e.g., the digitalization and globalization of data and information). Expanding role and use of big data and data analytics, which may improve the ability of both the entity and its competitors to identify risks and their implications. Depleting natural resources, which may influence the supply, demand, and location of products and services. Rise of virtual entities, such as bots (see definition at the end of this lesson) and AI (artificial intelligence)-driven intelligent systems, which can influence the supply, demand, and distribution channels of markets. _______ ______ ________
Mobile workforces (e.g., the widespread availability of online, temporary labor, such as Upwork). Labor shortages (i.e., the difficulty of finding and retaining appropriate skills and talent). Shifts in lifestyle, healthcare, and demographics (i.e., the aging of some countries, such as Japan and Germany, and the growth of young consumers in other countries, such as in Central Africa).
What Is Enterprise Risk Management (ERM)?—ERM is the culture, capabilities, and practices by which organizations manage risk to create, preserve, and realize value (performance). ERM must be integrated with strategy setting and linked to organizational performance. Risk is an uncertain event that will influence whether an organization achieves its strategic business goals. That is, risk is the likelihood that performance will be different from targeted.Note that COSO defines risk (counterintuitively for most people) as a neutral (i.e., neither negative nor positive) event. Hence, to COSO, risks can be negative or positive. For example :A __________ risk is that the new accounting system that your company implemented fails to work and you cannot keep track of sales and inventory (e.g., the 1999 Hershey's chocolate enterprise resource planning disaster). A ________ risk might be that your company's servers fail because demand for your project is so high (which occurred repeatedly in the early days of eBay).
Negativve Positive
Pursue ERM Improvement—The organization pursues improvement of its ERM activities and functions. Continual evaluation of ERM activities may be fruitfully embedded in ongoing business processes and practices (e.g., budgeting, performance reviews). Separate, periodic evaluations are also useful. Opportunities to improve ERM may arise in any of the following areas:
New technology may provide opportunities for efficiency Historical Shortcomings Organization change may be needed to support changing risks or governance structures Risk Appetite Risk Categories Communicaitons Peer comparisions Rate of change
The following are examples of Opportunities to improve ERM may arise in any of the following areas: For example, emerging data mining and automated content (e.g., sentiment) analysis methods can provide quick assessments of customer satisfaction with products. .For example, an auto parts manufacturer notes that it has insufficiently captured past currency fluctuation risks. It implements new monitoring processes to improve its assessment of these risks.
New technology may provide opportunities for efficiency. Historical Shortcomings—Reviewing performance can identify historical shortcoming, including the causes of past failures. This can inform ERM efforts.
Improper loans—SOX Section 402 prohibits (with some exceptions) public companies from making personal loans to their top officers and directors. Such loans are now permitted only if they are made: _____ ______- ______
On market terms In the ordinary course of business Available to the public as well as to insiders
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. Approaches and Methods of Identifying Risk Multiple, acceptable approaches exist to identifying risks. Risk identification may be integrated into:________ ___________
Ongoing processes, such as budgeting, planning and performance reviews, and Activities targeted at risk identification such as questionnaires, workshops, and interviews.
Opportunities to improve ERM may arise in any of the following areas:The three are examples of what? For example, in one organization the ERM function reported to the chief financial officer. However, to improve its alignment of strategy and ERM, the entity created a strategy group to whom the realigned ERM function reported. These changes enabled the organization to better align its strategy with its ERM function. For example, management monitored the performance of a new product over a year and determined that the market was less volatile than originally forecasted. Accordingly, management assesses whether it can increase its risk appetite for similar product launches. For example, one organization did not include cyber risk as a threat until it began offering online products. After offering online products, it revised its categories to include cyber risk.
Organizational change may be needed to support changing risks or governance structures. Risk Appetite—Performance reviews enable refinement of risk appetite Risk Categories—Continuous improvement efforts can identify patterns and relationships that lead to revised risk categories.
__________—The ability of an entity to withstand the impact of large-scale events.
Organizational sustainability
A portfolio view of risk may represent differing levels of integration. COSO identifies four levels of risk integration, which are presented below from least to most integrated. Minimal integration—the risk view. The entity identifies and assesses risk at the event level. The focus is on events, not objectives. An example of minimal integration is focusing on the risk of a breach of an IT system in relation to the risk of complying with local regulations. Limited integration—risk category view. The entity identifies and assesses risk at the risk inventory (i.e., category) level. For example, the creation of a compliance department will aid the entity in managing the risk of complying with local regulations. ______________The entity identifies and assesses risk at the business objective level and considers dependencies among objectives. For example, the entity considers all business objectives that have compliance-related risks. _________ The entity identifies and assesses risk at the strategy and business objectives level. Greater integration improves support for risk-related decision making. Compared to the previous examples, the board and management focus more on the achievement of strategy. For example, the board reviews and challenges management to articulate its strategy related to achieving operational excellence, including the management of compliance-related objectives and related risks.
Partial integration—risk profile view. Full integration—portfolio view.
How Business Context Influences Risk Profile. The business context may influence an entity's risk profile at three stages: past, present, and future performance. _______ _______ ________
Past performance informs an organization's expected risk profile. Current performance provides evidence of trends and influences on the risk profile Future expected performance helps an entity shape and create its risk profile
ERM and Performance—ERM is designed to improve organizational performance Performance measures may include: Financial measures, such as return on investments, revenue, or profitability. Operating measures, such as hours of operation, production volumes, or capacity percentages. Obligation (or contractual) measures, such as adherence to service-level agreements or regulatory compliance requirements. ______ ________ ______
Project measures, such as having a new product launch on schedule. Growth measures, such as expanding market share in an emerging market. Stakeholder measures, such as the delivery of education and basic employment skills to those needing upgrades when they are out of work.
Assess Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives. Examples of substantial changes include: In the internal environment:
Rapid growth—When operations expand quickly, existing structures, business activities, information systems, or resources may be inadequate to address expanding roles and responsibilities. Risk oversight roles and responsibilities may need to be redefined accordingly. For instance, supervisors may fail to adequately supervise added manufacturing shifts or an increase in employees .Innovation—Major innovations introduce new risks. For example, introducing consumer sales through mobile devices may require new system access controls. Major changes in leadership or personnel—A new management team member may misunderstand the entity's culture or may focus on performance to the exclusion of risk appetite or tolerance.
_______—The amount of risk of achieving strategy and business objectives that is appropriate for an entity, recognizing that risk cannot be predicted precisely.
Reasonable expectation
COSO identifies four categories of fraud:
Reporting:Financial ReportingNon financial misappropriation of assets other illegal acts and corruption
Risk—The possibility that events will occur and affect the achievement of objectives. ______—The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.
Risk appetite
_______—The types and amount of risk that an organization is willing to accept in pursuit of value.
Risk appetite
_________—The maximum level of risk established by an entity.
Risk ceiling
________—The minimum level of risk established by an entity.
Risk floor
________—A composite view of the risk assumed at a level of the entity, or aspect of the business that positions management to consider the types, severity, and interdependencies of risks, and how they may affect performance relative to the strategy and business objectives.
Risk profile
Determining Risk Appetite—Management and the board must make an informed choice of an appropriate risk appetite. Multiple acceptable approaches exist to determining and expressing risk appetite. (See the next example for examples of risk appetite expressions.)For some entities, "low" or "high" appetite may be sufficient. Other entities will prefer a more detailed or quantitative approach: for example, by expressing risk appetite in financial results or a beta measure (i.e., a measure of the volatility of a stock compared to the stock market) of its stock. Risk appetite may include considering an entity's: _____ ______ ______
Risk profile (i.e., a composite assessment of risks, including consideration of risk types, severity, and interdependence). Risk capability (i.e., the maximum amount of risk that an entity can absorb in pursuing its strategy and business objectives). ERM capability and maturity. Organizations with more mature and capable ERM initiatives are likely to have greater insight into risk appetite and influences on risk capacity than are entities with less mature and less capable ERM functions.
What are the 8 steps in starting ERM
Seek board and senior management involvement and oversight. Identify and position a leader to drive the ERM initiative. Establish a management working group. Inventory the organization's existing risk management practices. Assess key strategies and their related to strategic risk Develop a consolidated action plan and communicate it to the board and management Develop and enhance risk reporting Develop the next phase of action plans and ongoing communications.
Managing fraud risk through HR procedures—Many HR procedures help manage fraud risk including: Background, credit, and criminal checks (where allowed by law)—of employees, suppliers, and business partners Fraud risk management training—to identify and manage entity and industry-specific risks (e.g., in financial services) Evaluating performance and compensation programs—e.g., do bonus programs incentivize fraud risks by offering large, short-term bonuses for sales or earnings targets? Annual employee surveys—including assessments of ethical tone, observed misconduct, knowledge of how to report concerns or misbehavior Exit interviews—including discussion of possible fraud and misconduct in the organization ____ _____ ______
Segregation of duties discussed in the "Fraud Risk Management" lesson Transaction-level controls discussed in the "Logical and Physical Access Controls" module—e.g., data entry tests authorization approvals) Implementation of a whistleblower system—mandated for SEC registrations by SOX Act of 2002
_______—A measurement of considerations such as the likelihood and impact of events or the time it takes to recover from events.
Severity
______—The impact of events or the time it would take to recover.
Severity
Establish Operating Structures—The organization establishes operating structures that support the strategy and business objectives. Operating Structure and Reporting Lines—The operating structure maps how an entity fulfills its daily responsibilities and aligns with the organization's legal and management structure. Influences on an entity's operating structure include:
Strategy and business objectives and related risks Nature, size, and geographical distribution of the business Assignment of authority, accountability, and responsibility across all levels Reporting lines (direct versus secondary) and communication channels External reporting requirements (e.g., financial, tax, regulatory)
__________— A method (that is common and often required by regulators for banks) for testing a risk portfolio (e.g., of loans in a bank) using simulation. In a stress test, the assumptions about risk are manipulated to assess how different "stressors" (i.e., risks) will affect a risk portfolio.
Stress testing
Exercise Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. Independence—The board must be independent of management. Potential impediments to board member independence include: A substantial financial interest in the entity Employment in an "executive capacity" in the organization (i.e., in a management position) or Acting in a capacity to advise the board (e.g., as a consultant). A material business or contractual relationship with the entity (e.g., as a supplier, customer, or service provider) _______ _____ _____ ______
Substantial donations to the entity A business or personal relationship with key stakeholders Membership on a board with a potential conflict of interest to this board Holding a position on the board for an extended period
ERM Assessment Organizations must assure their stakeholders that they can manage risk by assessing the entity's capacity to manage risk. Such assessmentsmay be voluntary or may be required by law regulation.should provide assurance that:_______ _______ _______
The five components and 20 principles articulated herein are present and functioning in the organization.T hese components and principles are fully integrated, to ensure that decisions and actions respond appropriately to changing environments. The controls needed to achieve the principles articulated herein are present and functioning.
Keys to Success in Starting ERM The keys to success when starting ERM, which are summarized in the following figure, can help organizations avoid common pitfalls in establishing an ERM initiative. What are the first two ?
Theme 1: Start at the top; secure board and management support.Establishing a strong tone at the top in support of ERM will make ERM a priority and help define the culture of the organization.For more on this topic, see the ERM Governance and Culture lesson. Theme 2: Clearly communicate the role and objectives of ERM.ERM is sometimes misunderstood as primarily concerning compliance and regulation or as a risk identification exercise. In fact, the goal of ERM is to improve organizational decision making and increase the organization's value.Clarity in establishing the role and objectives of ERM helps build a culture in which all members understand that risk management is a part of their daily duties.
Keys to Success in Starting ERM The keys to success when starting ERM, which are summarized in the following figure, can help organizations avoid common pitfalls in establishing an ERM initiative. What are the middle two ?
Theme 3: Integrate ERM into the culture of the organization.To be effective, ERM must be part of the organization's culture and core business processes. One benefit of integrating ERM into the organization's culture will be increased knowledge and data sharing across units.Integrating ERM into the organization's culture also helps prevent "siloed" risk management within which differing units undertake independent, nonaligned approaches to risk. In short, realizing maximum value from ERM requires an integrated approach. Theme 4: Focus on top strategies and business objectives.It is no surprise that ERM should begin with the organization's most important goals. And this, of course, requires that the organization has recognized and articulated articulated these goals. It is also important that ERM be established as primarily focused on strategy, not risk.
Keys to Success in Starting ERM The keys to success when starting ERM, which are summarized in the following figure, can help organizations avoid common pitfalls in establishing an ERM initiative. What are the last three ?
Theme 5: Associate key risks with key strategies.What are the key risks that could impair the enterprise's ability to achieve its key strategies? Notice that the identification and assessment of risks follows the identification and assessment of the enterprise's strategies. This approach limits the organizational focus to a small number of key strategies and related risks. Theme 6: Start with simple actions and build incrementally.A misconception of ERM is that it requires a complex, costly, multiyear effort to realize value. In fact, ERM startup initiatives should focus on simple actions and look for small wins (i.e., opportunities to integrate ERM into existing, important organizational strategies). Some examples of this approach include:Educate the board and management about the importance of ERM.Identify how ERM can best fit within the organization's culture and governance structure.Articulate the benefit of each ERM action. The next figure shows examples of ERM actions and the related benefits of these actions. Theme 7: Leverage existing resources and risk management activities. To reiterate a previous point, ERM should build on existing resources (e.g., governance structures) and risk management activities (e.g., budgeting). ERM should not become overly complex, costly, or fully implemented in one development effort.
Officer certification of financial statements—To impose accountability for the accuracy of firms' financial statements, SOX's Section 302 requires: Each public company's CEO and CFO must certify that: ______ ____ _____ They must also certify that: They are responsible for establishing and maintaining their company's internal financial controls. They have designed such controls to ensure the relevant material information is made known to them. They have recently (within 90 days) evaluated the effectiveness of the internal controls.They have presented in the report their conclusions about the controls' effectiveness.
They have reviewed the quarterly and annual reports that their companies must file with the SEC;To their knowledge, the reports do not contain any materially untrue statements or half-truths; andBased on their knowledge, the financial information is fairly presented.
Communicate Risk Information—The organization uses communication channels to support ERM Methods of communicating risk information may include; Electronic messages, including email, social media, text messages, and instant messaging; External, third-party materials including industry, trade, and professional journals, and reporting internal and external performance indices; Informal and verbal communications; Public events including presentations to investor groups and at conferences;_____ _______ _______
Training and seminars, including live and webcasts; Written internal displays, including documents, dashboards, surveys, policies, and procedures; and Additional methods as required for sensitive matters, such as a whistleblower hotline and procedures for communicating serious violations of policy or standards.
Report on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity. Types of reporting may include those listed next. The portfolio view of risk reports outlines the severity of risks at the entity level. These reports highlight the greatest risks to the entity, interdependencies between specific risks, and opportunities. These reports typically are found in management and board reporting. The profile view of risk is narrower and more focused than the portfolio view. Like the portfolio view, the profile view outlines risk severity but focuses on levels within the entity. For example, the risk profile of a division or operating unit may be an important report for management. Analysis of root causes (asking "why") enables users to understand assumptions and changes underpinning the portfolio and profile views of risk. Sensitivity analysis (e.g., using Monte Carlo simulation) measures the sensitivity of changes in key assumptions embedded in strategy and the potential effect on strategy and business objectives. Analyses of new, emerging, and changing risks (e.g., through brainstorming) provide the forward-looking view to anticipate changes to the risk inventory, effects on resource requirements and allocation, and the anticipated performance of the entity. Key performance indicators (KPIs) and measures outline the tolerance of the entity and significant potential risks. _____ ______ _______
Trend (i.e., over time) analyses evaluate movements and changes in the portfolio view of risk, risk profile, and performance of the entity. Disclosures of incidents, breaches, and losses (as appropriate) provide insight into the effectiveness of risk responses. Not all risk incidents will be disclosed to all stakeholders. Reports to track ERM plans and initiatives summarize ERM practices and results. Reports on investments in ERM resources, and the urgency by which initiatives are completed may also reflect the board and management's commitment to ERM and culture in risk responses.
__________—The state of not knowing how or if potential events may occur.
Uncertainty
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. .Aligning Core Values, Decision Making, and Behaviors—A failure to adhere to core values generally occurs for one of these seven reasons: An inappropriate tone at the top exists (e.g., management claims strong ethics but doesn't exhibit ethical behaviors). The board fails to provide oversight of management. Middle and functional managers are misaligned with the entity's mission and core values. Risk is not integrated into strategy setting and planning. ____ _____ ____-
Unclear and untimely responses to risk and performance outcomes occur. Excessive, inappropriate risk taking is not investigated or addressed. Management or employees deliberately act inconsistently with core values.
Assumption—An assertion (belief) about_______
a characteristic of the future that underlies an organization's ERM plan. For example, a business might assume that the demand for routers will not change substantially.
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. The organizational culture influences risk identification, assessment, and response. For example: Culture and strategy—A risk-averse organization (and culture) may decline to pursue_____________ Culture and risk assessment—Organizations may view the same event as either a negative or positive risk. For example, a risk-averse traditional retail organization (e.g., Sears) may view online sales as a threat to its brick-and-mortar business. In contrast, a risk-aggressive traditional retail company (e.g., Walmart) may see online sales as an opportunity to increase sales and market share.
a strategy of fracking, mining, and drilling on untapped, suburban land where the risks of environmental or health harm is high.
Target risk—The desired level of risk set by an entity. Tolerance—The boundaries of____
acceptable variation in performance related to achieving business objectives. Like risk range but risk range is a statement (or measure) of risk while tolerance is a measure of performance.
Risk inventory—A listing of the entity's known risks. Risk owners—Managers or employees who are______
accountable for the effective management of identified risks.
Implement Risk Responses—The organization identifies and selects risk responses. Acceptable risk response categories include: Accept—No action is taken to change the severity of the risk. Appropriate when the risk is already within risk appetite. Risk that is outside the entity's risk appetite and that management seeks to accept will generally require approval from the board or other oversight bodies. Avoid—Act to remove the risk, which may mean ceasing a product line, declining to expand to a new geographical market, or selling a division. Choosing avoidance suggests that the organization was unable to identify a response that would reduce the risk to an acceptable level of severity. Pursue—Accept increased risk to achieve improved performance. This may include adopting more ______________When choosing to pursue risk, management understands the nature and extent of any changes required to achieve desired performance while not exceeding the boundaries of acceptable tolerance. Reduce—Act to reduce the severity of the risk. This includes many possible business decisions that reduce___________ Share—Reduce the severity of the risk by ___________Common techniques include outsourcing to specialist service providers, purchasing insurance products, and engaging in hedging transactions. As with the "reduce" response, sharing risk lowers residual risk. In some situations, an entity may need to revisit its business objectives and strategy to reformulate them as a part of responding to a severe risk (e.g., the threat the bankruptcy). Influences on management's decision to select and deploy risk responses include the business context, costs and benefits, obligations and expectations, risk priority, risk appetite, and risk severity.It is often easier to measure the costs of risk responses than their benefits (since costs are more tangible and measurable than are expected losses)
aggressive growth strategies, expanding operations, or developing new products and services. risk to an amount of severity aligned with the target residual risk profile and risk appetite. transferring or sharing a portion of it.
SOX's Title IV contains provisions that even more directly impact financial reporting practices: Financial statement shenanigans—SOX's Section 401 contained several provisions to limit financial monkey business: Off-balance sheet transactions—SOX requires that quarterly and annual financial reports filed with the SEC disclose ____________ It also instructed the SEC to figure out how to reduce the use of "special purpose entities" to facilitate misleading off-balance sheet transactions. The rules that the SEC issued focus on ensuring that transactions are motivated primarily by economics rather than by accounting and reporting concerns.
all material off-balance sheet transactions, arrangements, obligations, and other relationships with unconsolidated entities that might have a material impact on the financial statement.
Additionally, CEOs and CFOs must certify that they have reported to the auditors and the audit committee regarding ___________in the controls and any fraud, whether or not material, that involves management or other employees playing a significant role in the internal controls. Finally, the CEO and CFO must indicate whether or not there have been any significant postevaluation changes in the controls that could significantly affect the controls.
all significant deficiencies and material weaknesses
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. Culture and resource allocations—A risk-averse entity may___________. In contrast, a risk-seeking entity may expend fewer resources in pursuit of specific objectives. For example, a risk-averse entity might purchase insurance to help achieve a business objective (e.g., reduced likelihood of losses due to cyber breaches), whereas a risk-seeking entity may choose to self-insure for these potential losses. Culture and risk responses—A risk-averse entity may respond more quickly to__________- For example, a risk-averse airline may adjust flight schedules quickly in response to changing weather conditions. In contrast, a more risk aggressive bus company may maintain existing operations and schedules longer in response to adverse weather.
allocate more resources to increase its confidence in achieving specific objectives variations in performance compared with a risk-aggressive entity
Terms Key performance indicators (KPIs)—High-level measures of historical performance of ____
an entity and/or its major units.
Practices—The methods and approaches deployed within______-
an entity relating to managing risk.
Develop Portfolio View—The organization develops and evaluates a portfolio view of risk. Using the portfolio view of risk enables ___________ This enables management to assess whether the entity's residual risk profile aligns with its risk appetite. Developing a Portfolio View—Multiple acceptable methods exist for creating a portfolio view of risk. One approach is to begin with major risk categories with metrics such as capital at risk
an organization to identify risks that are severe at the entity level.
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. Prospect theory and the "framing" of risks Prospect theory argues that, in most settings, losses __________ For example, when a risk is framed as a gain (i.e., getting a sure thing versus a likelihood of getting something), most people prefer the sure thing (i.e., a risk-averse choice). In contrast, when a risk is framed as a loss (i.e., losing something versus a likelihood of losing something), most people prefer the risky alternative (i.e., a risk-seeking choice). Prospect theory matters to ERM since the way that a risk is presented (as a gain or a loss) can influence people's response to it.
are more consequential than gains and that how a risk is "framed" (i.e., presented) influences how people respond to it.
Vision—The entity's_____
aspirations for its future state or what the organization aims to achieve over time.
Mission, Vision, Values, and Strategy in ERM ERM begins with an entity's mission, vision, values, and strategy. These are: Mission—Why the entity exists (i.e., its core purpose). States what the entity wants to achieve. Vision—The entity's aspirations for its future; states what the organization wants to achieve and be known for and as .Core values—The entity's _____ Strategy—The organization's plan to achieve its mission and vision and apply its core values.
beliefs and ideals about morality (i.e., what is good or bad, acceptable or unacceptable); influences individuals' and organizational behavior.
Analyzing the Portfolio View The portfolio view of risk requires ______________ Management should "stress test" the risk portfolio, to assess the effect of hypothetical changes in the business context (e.g., "what if sales drop by 10%?"). Such analysis is likely to reveal new and emerging risks and to clarify the adequacy of planned risk responses.
both quantitative (numeric) and qualitative (in words) risk assessment methods.
Correcting Some Misconceptions of ERM ERM is not simply a listing of risks (this is called a "risk inventory"). ERM includes the practices, including creating an appropriate culture, to manage risks. ERM is not just for big corporations. ERM is essential for all organizations, regardless of size or mission. ERM is not the same as internal control. ERM includes a broader mandate than internal control, in that ERM considers risk appetite and strategy as _______ ERM cannot be an add-on activity that functions independent of the organization's structure and processes. Instead, ERM must be integrated into and throughout the organization. Hence, ERM initiatives that are isolated (not integrated) are likely to be less effective at managing dynamic risks.
central concerns.
Assess Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives In the external environment, a changing regulatory or economic environment can increase_______ or change_______ Such changes can introduce new or altered risks. For instance, if toxic chemicals are released in a populated area (e.g., at the Union Carbide plant in Bhopal, India), new industry-wide restrictions may regulate production, shipping, or logistics.
competitive pressures or change operating requirements.
CFO code of ethics—SOX Section 406 requires public companies to disclose in their filings with the SEC whether or not they have adopted a code of ethics for senior financial officers (CFOs, comptrollers, principal accounting officers, and others performing similar functions) and, if not, the reasons why not. The code is to address such matters as_____The goal of the disclosure requirement is to embarrass firms into adopting such codes.
conflicts of interest, accurate financial reporting, and compliance with governmental rules and regulations.
Entity—Any form of for-profit, not-for-profit, or governmental body. An entity may be publicly listed, privately owned, owned through a cooperative structure, or any other legal structure. Event—An occurrence or set of occurrences. Mission—The entity's ____
core purpose, which establishes what it wants to accomplish and why it exists.
Culture—An entity's _____
core values, including its attitudes, behaviors, and understanding about risk.
The ERM framework includes five components and 20 principles. These are illustrated below and discussed in this and the next lesson, "ERM Governance and Culture." The five components of the ERM framework are: Governance and Culture—These are the_________. Governance is the allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. An organization's culture is its core values, including how the organization understands and manages risk. Strategy and Objective-Setting—ERM must integrate with strategic planning and objective setting. For example, an organization's risk appetite is partly a function of its strategy. Business objectives are the practical implementation of a chosen risk appetite and strategy. Performance—The "Introduction to COSO Enterprise Risk Management: Strategy and Risk" lesson gives examples of performance measures. Risk identification and assessment is concerned with developing an organization's ability to achieve its strategy and business objectives, as measured by performance. Review and Revision—Periodic and continuous review and revision of ERM processes enables an organization to increase the value of its ERM function. Information, Communication, and Reporting—Communication is the_____________-. This function includes reporting on the organization's risk, culture, and performance.
cornerstones for the other ERM components continual, iterative process of obtaining and sharing information to facilitate and enhance ERM
Corporate Responsibility. Studies indicate that CEOs and CFOs are often involved in companies' financial wrongdoing, so it is natural that Sarbanes-Oxley's Title III contains several provisions dealing with responsible corporate governance that have an important impact upon the accuracy of firms' financial reporting. These include: Audit committees—Audit committees have long monitored the internal audit function and overseen the financial reporting processes and annual financial statement audit. But SOX created a much larger role for public company audit committees and changed their composition. Before SOX, the same CEOs and CFOs who were often involved in financial tomfoolery selected, compensated, and terminated their company's outside auditor. To strengthen corporate governance by reducing the control of CEOs and CFOs, SOX's Section 301 requires public companies to _____________Audit reports are now addressed to the audit committee rather than to corporate management.
create audit committees that will choose, compensate, oversee, and terminate their company's auditors.
White-Collar Crime Penalty Enhancements The key provision in Title IX of SOX complements Section 302 (which required CEOs and CFOs to personally certify the financial statements they signed and internal controls they created) and Section 404 (which required those internal controls to be audited). That provision is Section 906, which imposes____________Punishments can run as high as up to $5 million in fines and 20 years in jail. Other Title IX provisions increase punishments for conspiracy to commit securities fraud, for committing mail and wire fraud, and for criminally violating the Employee Retirement Income Security Act (ERISA).
criminal punishments upon those officers who "intentionally" certify SEC filings containing inaccurate financial statements.
Communicate Risk Information—The organization uses communication channels to support ERM Communication between the board and management begins with a shared understanding of the entity's strategy and business objectives. Board members must have a _________ Board and management discussion of risk appetite may occur in quarterly meetings or in special meetings to discuss specific events or risks, such as cyber terrorism, chief executive succession, or mergers.
deep understanding of the business, including its strategy and value and cost drivers.
Emerging Issues and Opportunities in ERM Integrating Big Data into ERM—The growth and availability of big data will create emerging opportunities for continuous monitoring, advanced analytics, and data visualization. It will also create organizational risks related to data privacy, ethics, and information availability and transparency. Integrating Artificial Intelligence (AI) into ERM—The pairing of big data with AI will enable the_____ Managing ERM Costs—Managing risk is costly; as ERM practices evolve, seeking maximum benefits at _________is an important challenge and goal
discovery of hidden relationships in data, which will create faster, more accurate, risk identification and responses. lower costs is an important challenge and goal.
SOX's Title IV contains provisions that even more directly impact financial reporting practices: Financial statement shenanigans—SOX's Section 401 contained several provisions to limit financial monkey business:Pro forma financial statements—To limit the abuse of pro forma financial statements, SOX also authorized the SEC to issue rules requiring that pro forma financial statements (those using non-GAAP financial measures) be presented in a manner that __________________ In response, the SEC issued Regulation G, which does not eliminate use of pro forma results but does impose a broad range of limitations upon the use of pro forma results, including a requirement that public companies disclosing such results include the most directly comparable GAAP financial measures and a reconciliation of the two. Management must also explain why the pro formas will provide valuable information to shareholders.
does not contain a material misstatement or half-truth and be reconciled with the financial conditions and results of operations under GAAP so that investors can readily detect the differences.
Performance management—The measurement of____
efforts to achieve or exceed the strategy and business objectives.
Portfolio view—A composite view of risk the
entity faces, which positions management and the board to consider the types, severity, and interdependencies of risks and how they may affect the entity's performance relative to its strategy and business objectives.
Portfolio view—A composite view of risk the ___
entity faces, which positions management and the board to consider the types, severity, and interdependencies of risks and how they may affect the entity's performance relative to its strategy and business objectives.
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objective sRisk Inventory—A risk inventory is a listing of an _____________Risk inventories are more useful when risks are categorized—for example, by financial, customer, compliance, or IT risks.
entity's known risks.
Attract, Develop, and Retain Capable Individuals—The organization is committed to building human capital that aligns with its strategy and business objectives. Establishing and Evaluating Competence—Management, with board oversight, defines the human capital needed to achieve its strategy and business objectives. Attracting, Developing, and Retaining Individuals—Management establishes structures and processes to attract, train, mentor (guide and develop), evaluate, and retain (through incentives, training, and credentialing) competent individuals. Rewarding Performance—Incentives and rewards should be __________Designing incentive systems requires consideration of related risks (e.g., of ethical violations) and responses. Nonmonetary rewards (e.g., responsibility, visibility, recognition) may be important components of performance rewards. Management consistently applies performance measures and regularly reviews the entity's measurement and reward system. Addressing Pressure—Many sources of pressure exist in organizations, including performance targets, regular cycles of specific tasks (e.g., negotiating labor or sales contracts), unexpected business changes, and economic downturns. Organizations may seek to positively influence pressure by rebalancing workloads, increasing resource levels, or reiterating the importance of ethical behavior. Excessive pressure (which can fuel unethical behavior) often results from unrealistic performance targets (particularly for short-term results), conflicting business objectives of differing stakeholders, and an imbalance between short-term financial rewards and longer-term objectives (e.g., environmental sustainability).
established by management and the board, consistent with the entity's short- and long-term objectives.
Risk—The possibility that ____-
events will occur and affect the achievement of strategy and business objectives. "Risks" (plural) refers to one or more potential events that may affect the achievement of objectives. "Risk" (singular) refers to all potential events collectively that may affect the achievement of objectives. Note that to COSO, a risk may be positive (an opportunity) or negative (a failure or setback).
Managing ERM includes focus on the following elements of an organization Linking to value through risk appetite—ERM occurs relative to an organization's risk appetite (defined later in this lesson). The organization's risk appetite is reflected in its mission, values, and strategy. Differing strategies expose an entity to different risks. Risk appetite must ________For example, a successful company will likely accept more risk in an economic downturn than when economic conditions are favorable.
evolve and adapt to changing conditions.
How does an organization begin the process of integrating ERM into its governance process? The key is to add ERM to____________________ For example, most organizations have a budget process. Integrating ERM into budgeting may start with adding one page to the existing budgeting process for each business unit. This page would describe: Risks—Events that may impair the unit's ability to achieve its budget objectives Actions—Activities that the unit will undertake to monitor and manage the identified events
existing governance activities rather than to create new processes and activities.
Demonstrate Commitment to Core Values—The organization demonstrates a commitment to its core values. Reflecting Core Values throughout the OrganizationThe communication of values within an organization is referred to as "tone." A consistent tone establishes a common understanding of core values and desired behaviors. Aligning the tone and culture of an organization (e.g., "safety first") enables stakeholders to_________
feel confident that the organization will act in a manner consistent with its core values.
Formulate Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy. The first COSO ERM lesson gave categories of business objectives. Business objectives must align with the strategy. Management must____________ a chosen business strategy
fully understand the implications of
Core values—The entity's beliefs and ____
ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.
Assess Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives. Substantial changes bring new or altered risks, which must be ___________Hence, organizations must continually monitor for new or altered risks. Identifying substantial changes, evaluating their effects, and responding to the changes are iterative processes. Postevent reviews, following substantial changes, can help determine the lessons that can be applied to future events.
identified and integrated into the organization's risk portfolio.
Evaluate Alternative Strategies—The organization evaluates alternative strategies and their potential impact on the risk profile. The strategy must align with the mission, vision, and core values and with the organization's risk appetite The organization must understand the________________The organization must also understand the assumptions underlying the strategy. Popular approaches to evaluating strategy include a SWOT analysis (strengths, weaknesses, opportunities, threats).
implications of the chosen strategy related to the business context, resources, and organizational capabilities.
Establish Operating Structures—The organization establishes operating structures that support the strategy and business objectives. ERM Structures—Many organizations have risk committees appointed by the board. Complex organizations may have multiple risk committees. All committees that are responsible for managing enterprise risk should____________
include statements of committee authority, committee membership, expected frequency of meetings, committee responsibilities, and operating principles.
IT and Fraud IT can both facilitate fraud and help prevent and detect fraudA poorly designed accounting system __________ Examples of IT fraud risks:Reporting fraud: financialHackers or employees may gain unauthorized access to accounting applications and change financial information.(a) System controls may include fail-safe mechanisms that can be overridden in some circumstances. These fail-safe mechanisms can, in some situations, facilitate inappropriate access to systems, resulting in changes to financial data.Reporting fraud: nonfinancialAs the Volkswagen fraud illustrates, employees may override controls, including system controls, to falsify nonfinancial reportsMisappropriation of assetsTheft or misuse of assetsE.g., access to both the accounting records and to assets creates many opportunities for theft (e.g., creating fictitious vendors and "paying" falsified invoices).Other illegal acts and corruptionData theft and abuse is an increasing problem (e.g., North Korean theft and hack of Sony video content, which was motivated by revenge and not financial gain).
increases fraud risk.
Independent directors—Importantly, SOX requires audit committees to be composed entirely of _________ Also, as discussed below, at least one of the audit committee members must be a "financial expert."
independent directors—people who are neither officers of the company nor consultants or advisors who collect significant fees from the company or its affiliates.
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. Assess Severity of Risk—The organization assesses the severity of risk. The severity of risks should be assessed at multiple levels. Risks at higher levels (i.e., that influence strategy and entity-wide objectives) are more likely to _____-
influence the entity's overall reputation and brand than risks that occur at lower levels (e.g., to a business unit's objectives).
Managing ERM includes focus on the following elements of an organization Developing capabilities—Organizations must hire, foster, promote, and nurture skills and competence. One critical competence is the capacity to adapt to change, including changes in technology. Adaptation and integration of ERM practices—ERM is dynamic; it requires adaptation to special projects, new initiatives, and innovative technologies. ERM is also integrated _________
into all divisions, business units, and functions in an organization.
Corporate and Criminal Fraud Accountability SOX contained several provisions to increase criminal penalties and other forms of accountability for financial fraud and other wrongdoing. Many of those were contained in Title VIII. Supplementing the requirement that audit committees set up procedures for handling whistleblower complaints, Section 806 of SOX provides a civil damages action for public company whistleblowers who are retaliated against (via demotion, suspension, harassment, etc.) for providing information in an investigation or participating as a witness or otherwise in a proceeding involving federal securities law violations or other frauds that might damage shareholders. The provision covers _______________Whistleblowers are similarly protected when they file or assist in the filing of proceedings alleging a violation of these provisions forbidding fraud against shareholders. Whistleblowers are protected from retaliation if their belief that legal violations have occurred is reasonable, even if mistaken. Note that in 2010 the Dodd-Frank Act incentivized whistleblowers involving securities law violations by authorizing judges to award them between 10% and 30% of monetary sanctions imposed on wrongdoers as a result of their tips when those sanctions exceeded $1 million.
investigations conducted by federal agencies, members of Congress or their staffs, or any person with supervisory authority over the employee.
Engaging advisers—In order to ensure that audit committees can be as effective as possible, SOX grants each audit committee authority to hire independent legal counsel and other advisers "as _______
it determines necessary to carry out its duties."
Key risk indicators (KRIs) measure emerging risks. They are usually quantitative (e.g., expected number of security incidents per quarter) but may be qualitative (e.g., likelihood of major fire at a manufacturing plant). KRIs are often reported with______________ A key performance indicator for customer credit is likely to include data about customer delinquencies and write-offs (source: Beasley, Branson, & Hancock, 2010). A key risk indicator might anticipate potential future customer collection issues so that the credit function could be more proactive in addressing customer payment trends before risk events occur.A relevant KRI for this example might be analysis of reported financial results of the company's 25 largest customers or general collection challenges throughout the industry to see what trends might be emerging among customers that could potentially signal challenges related to collection efforts in future periods. (source: Beasley, Branson, & Hancock, 2010)
key performance indicators (KPIs), which provide high-level measures of organizational performance.
Key performance indicators (KPIs)—High-level measures of historical performance of an entity and/or its major units. Performance Measures —measurable targets that are compared with outcomes. For example, a goal of no more than seven lost-time incidents at a factory is a performance measure. Severity—A measurement of considerations such as the _____
likelihood and impact of events or the time it takes to recover from events.
Prioritize Risks—The organization prioritizes risks as a basis for selecting risk responses. Prioritization assesses risk severity compared to risk appetite. Greater priority (importance) may be given to risks that are _________ The criteria for prioritizing risks may include: Adaptability—The capacity of an entity to adapt and respond to risks (e.g., responding to changing demographics, such as the age of the population and the impact on business objectives relating to product innovation). Complexity—The scope and nature of a risk to the entity's success. The interdependency of risks will typically increase with complexity (e.g., risks of product obsolescence and low sales to a company's objective of being market leader in technology and customer satisfaction). Velocity—The speed with which a risk impacts an entity. A high-velocity risk may move the entity quickly away from the acceptable variation in performance (e.g., the risk of disruptions due to strikes by port and customs officers affecting objectives of efficient supply chain management) _______ ________
likely to approach or exceed risk appetite. Persistence—How long a risk impacts an entity (e.g., the persistence of adverse media coverage and impact on sales objectives following the identification of potential brake failures and subsequent global car recalls) influences its priority. Recovery—The capacity of an entity to return to tolerance (e.g., continuing to function after a severe flood or other natural disaster). Recovery excludes the time taken to return to tolerance, which is considered part of persistence, not recovery.
Report on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity Reporting risk to the board should include both formal and informal information sharing. For example, the board may have informal discussions about the implications and risks of alternative strategies. Formal reporting plays a significant role in the board's oversight of the ERM practices deployed by management. Reporting to the board should focus on the __________
links among strategy, business objectives, risk, and performance and should include the entity's portfolio view of risk.
Black swans" or "unthinkable risks" are )_________. For example, imagine that a global pandemic occurs that temporarily destroys a portion of the world economy.
low-frequency but high-impact events which can have severe negative impacts on organizations
Leverage Information Systems—The organization leverages the entity's information and technology systems to support enterprise risk management. Obtaining and using relevant information to support ERM may include the following actions: For governance and culture-related practices, information on standards of conduct and individual performance relative to those standards is valuable For instance, professional service firms have specific standards of conduct to help__________ Annual staff training reinforces those standards, and management gathers information by testing the staff's knowledge .For practices related to strategy and objective-setting, the organization may ___________ Stakeholders such as investors and customers may express their expectations through analyst calls, blog postings, contract terms and conditions, and others. These actions will provide information on the risk an entity may be willing to accept and the strategy that it pursues. For performance-related practices, organizations may need information on their competitors to assess risk changes. For example, a large residential real estate company may assess the risk of losing market share to smaller boutique firms by reviewing their competitors' commission pricing models and online marketing. If competitors' commission rates are low and aggressive and their online presence is widespread, the large company may review its ability to achieve its sales targets.For review and revision-related practices, organizations may value information on emerging ERM trends. Such information may be available at ERM conferences and industry-specific blogs and consortiums.
maintain independent relationships with clients. value information on stakeholder expectations of risk appetite.
Basic corporate law sets up a three-part pyramid, with the shareholders at the bottom, the directors in the middle, and the officers on top. The shareholders' right to vote to elect directors and right to vote on certain major structural changes, such as a merger proposal, constitute their primary input into corporate control. Directors are responsible for "big-picture" corporate policy. They also select, compensate, and remove corporate officers, who are at the top of the pyramid and are responsible for the day-to-day operations of the firm. It is important to emphasize that shareholders vote on directors but have __________ Officers execute their responsibilities through _________- These basic corporate principles are covered in detail in the "Business Structure" section of the Business Law topics covered in "Regulation."
no direct input regarding officers, a point frequently tested over the years. employees who are acting within the scope of their authority when they follow the directions of superiors or otherwise take actions in the best interests of their employers.
Uncertainty—The state of ________
not knowing how or if potential events may manifest.
Exercise Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. Organizational Bias—The board must understand the potential for ______
organizational biases (e.g., dominant personalities, disregarding information contrary to management's wishes) and challenge management to overcome them.
Managing ERM includes focus on the following elements of an organization: Entity culture—An organization's culture is the way that____________. Culture reinforces and amplifies the organization's mission and strategy when the culture ____________ Culture undermines these documents when it is hypocritical (i.e., when the mission and strategy say one thing but the organization's culture and its leaders act inconsistently with these documents).
people in the organization think and behave backs these written documents with supportive actions and behaviors.
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. Culture and Desired Behavior External influences include regulatory requirements and customer and investor expectations. In relation to risk, organizational culture exists on a continuum of risk averse, risk neutral, and risk seeking (aggression). A risk-aware culture may________ Organizational units may choose to be more risk seeking or risk averse within the context of the entity's overall risk appetite. For example, an aggressive sales unit may focus on sales without careful attention to regulatory compliance. In contrast, the risks of cloud storage may cause an organization to proceed with care and caution before contracting with a cloud service provider.
permit both approaches, if both are within the organization's risk tolerance and appetite.
Strategy—The organization's________
plan to achieve its mission and vision and apply its core values.
Identify Risk—The organization identifies risk that impacts the performance of strategy and business objectives. Assess Severity of Risk—The organization assesses the severity of risk Selecting Severity Measures—Severity measures should align with the size, complexity, and nature of the entity and its risk appetite. Severity measures may include: Impact—The result or effect of a risk, which may be stated as a ______________ Likelihood—The possibility of a risk occurring expressed as a probability (in words or numbers) or as a frequency. For example :In words (qualitative)—"The possibility of a major fire in a manufacturing plant (with associated impacts on production and sales) within the next 12 months is remote. "In numbers (quantitative)—"The possibility of a major fire in a manufacturing plant (with associated impacts on production and sales) within the next 12 months is 5%. "Frequency—"A major fire in a manufacturing plant (with associated impacts on production and sales) is likely to occur once ________
possible range of impacts and may be positive or negative. every 25 years."
Analyze the Business Context—The "business context" consists of the trends, events, relationships, and other factors that may influence, clarify, or change an entity's strategy and business objectives. The risk-aware organization considers the ___________its risk profile. For example, the business context may be dynamic or static, complex or simple, and predictable or unpredictable. The external environment and stakeholders influence the business context. For example, a regulatory agency may grant or deny an entity a license to operate or may force an entity to shut down. An investor may withdraw capital if _________. The external environment can be categorized by the (quite weird) acronym: PESTLE (political, economic, social, technological, legal, environmental), as is illustrated in the next figure.
potential effects of the business context on she disagrees with an entity's strategy or performance
What Is Enterprise Risk Management (ERM)?—ERM is the culture, capabilities, and_______
practices by which organizations manage risk to create, preserve, and realize value (performance).
Approaches and Methods of Identifying Risk Risk identification methods may include: Cognitive computing—AI methods of data mining and analysis. Data tracking of past events to help__________ Interviews that probe individual's knowledge of past and potential events. For large groups, questionnaires or surveys may be used. Key risk indicators (KRIs) are qualitative or quantitative measures that help identify risk changes. Risk indicators should not be confused with performance measures, which are typically retrospective. Process analysis involves_______________ Once mapped, risks can be identified and considered in relation to business objectives. Workshops bring together individuals from divergent functions and levels to draw on the group's collective knowledge and develop a list of risks. Assumptions (defined at the end of this lesson) underlie risk assessments. When entities make assumptions explicit, risk assessments improve. In one case, management set objectives based on an assumption that the exchange rate for a local currency (where a product was manufactured) would remain unchanged. However, when the exchange rate increased by more than 10%, a new risk (to meeting profitability targets) emerged.
predict future occurrences. Data sources may include third-party databases that provide industry or region data about potential risks. diagramming a work process to better understand the interrelationships of its inputs, tasks, outputs, and responsibilities.
Exercise Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. Accountability and Responsibility The board of directors has _______ for risk oversight; management's responsibility is the day-to-day management of risk. The board must have the skills, experience, and business knowledge to exercise its risk oversight function. The expertise needed to exercise oversight may-________-
primary responsibility change with the business (e.g., increasing cyber risks may require IT expertise on a board).
A risk-aware organization identifies triggers that will ____________q Triggers are often changes in the business context but may also include changes in risk appetite. Examples of potential triggers include an increase in customer complaints, a downturn in a critical economic index, a sales decrease, or a spike in employee turnover or accidents. Triggers may also come from a competitor—such as the recall of a competitor's product or the competitor releasing a new competing product. Bias (e.g., through framing) may result in a __________ The careful presentation of risks (remember prospect theory) may reduce potential biases.
prompt a reassessment of risk severity. risk being over- or underestimated.
Asses organization risk Risk severity should be assessed on the same time horizon as strategy and business objectives. Risks related to the mission, vision, and core values should be assessed on a longer time horizon. Risk assessment may use _____ or ____ approaches
qualitative (words) approaches (e.g., interviews, workshops, benchmarking) or quantitative (numbers) approaches (e.g., modeling, decision trees, Monte Carlo simulations).
Define Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value. Applying Risk Appetite Many organizations develop strategy and risk appetite simultaneously and allow them to co-evolve. Some organizations _______ risk appetite (i.e., state it in numbers); others state risk appetite in words.
quantify
Whistleblowers—Audit committees must establish procedures for ________by whistleblowers about accounting procedures and internal controls and protecting the confidentiality of those complainants.
receiving, retaining, and treating complaints
Leverage Information Systems—The organization leverages the entity's information and technology systems to support enterprise risk management. Additional considerations in data management: Organizations implement standards and provide rules for structuring information so that the data can be_________ Emerging technologies increasingly support task execution. Examples of such activity include robotics (in manufacturing), the Internet of Things (IoT), smart appliances (that manage energy use), and wearable technologies (for monitoring human and livestock activity). The next example illustrates an application of information systems to harvesting and managing relevant data.
reliably harvested, sorted, indexed, retrieved, and shared with both internal and external stakeholders, ultimately protecting its long-term value.
Review Risk and Performance—The organization reviews entity performance and considers related risks A finding that performance fell outside of tolerance or that the risk profile significantly differed from expected may motivate a review of business objectives, strategy, culture, target performance, severity of risk analysis, risk prioritization, risk responses, or risk appetite. Revising risk appetite will ________).
require review and approval by the board or other risk oversight body (e.g., a risk committee
Corporate Fraud Accountability Complementing Section 301 (requiring audit committees to set up procedures to protect whistleblower confidentiality) and Section 806 (enabling a whistleblower suffering retaliation to sue for damages), Article XI's Section 1107 makes it a crime to________________Maximum potential punishment is a fine and/or up to 10 years in prison.
retaliate against an informant providing truthful information relating to the commission of any federal crime to law enforcement officers.
The Fraud Risk Management Process Examples and Applications of Fraud Risk Management Relevant questions in undertaking a program to manage _______________fraud would include: What are the main sources and drivers of company revenue? Are revenues primarily from sales of many homogeneous products (e.g., consumer goods) or a small number of large transactions (e.g., large heavy equipment sales)? Are revenue transactions primarily automated (e.g., from a website feed) or manual? What are the industry-specific fraud risks of revenue? What are revenue recognition incentives or pressures in the organization? (Bonuses? Penalties?) What revenue recognition data are used by external stakeholders (e.g., financial analysts, bank loan officers)?
revenue recognition
Risk range—The acceptable level of _____
risk (highest to lowest) established by the organization. Similar to tolerance, but tolerance is a measure of performance while risk range is a statement about (or measure of) risk.
Risk capacity—The maximum amount of _________
risk that an entity can absorb in the pursuit of strategy and business objectives.
Report on Risk, Culture, and Performance—The organization reports on ________ Risk report users may include management, the board of directors, risk owners, assurance providers (e.g., internal and external auditors), external stakeholders (including regulators, rating agencies, community groups and others), and others.
risk, culture, and performance at multiple levels and across the entity.
Bot—A software application that ______
runs automated (usually simple) tasks (scripts) on the internet. For example, bots to search a website (e.g., eBay, airlines) for bargains. Also called an internet bot or web robot.
Auditing internal financial controls—Complementing Section 302's requirement for executive certification, Section 404 requires that each annual report contain an "internal control report" stating the responsibility of management for establishing and maintaining an adequate internal control structure so that accurate financial statements can be produced. The report must also contain an assessment, as of t____________qImportantly, Section 404 also requires outside auditors to evaluate the internal control assessment of the company as well as the financial statements. Thus, outside auditors of public companies audit both the financial statements and the internal financial reporting process that creates them.
the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures.
Risk profile—A composite view of
the risk assumed at a level of the entity or aspect of the business that positions management to consider the types, severity, and interdependencies of risks, and how they may affect performance relative to the strategy and business objectives.
Define Desired Culture—The board of directors and management define (and exhibit) the desired behaviors that characterize the entity's desired culture. Judgment Good judgment involves making____________ Judgment is required when little or contradicting information exists about alternatives or in periods of disruption to strategy, objective, performance, or risk profiles. Management judgment is susceptible to bias when over- or under-confidence exists in the organization's capabilities. Management teams with extensive experience, demonstrated capabilities, and a well-defined risk appetite are likely to ________-
thoughtful, rational decisions from available information. evidence better judgment than those with less experience, fewer capabilities, and a poorly identified risk appetite.
Business context—The______
trends, events, relationships and other factors that may influence, clarify, or change an entity's current and future strategy and business objectives.