www.pwc.com
COSO Enterprise Risk
Management FrameworkIntegrating Strategy and
Performance
Presentatie voor RBB
Den Bosch, November 2017
Agenda
1
Introducing
COSO
Who is COSO and
what is the COSO
ERM Framework?
2
3
What is
new?
What are the key
changes? What do
the components and
principles mean?
Concluding
What are key
messages and take
aways from
ERM@work?
4
More
information
How to obtain a copy
of the new
Framework and
obtain more
information
COSO recognises the growing expectation
of organisations to manage, in an
integrated and cohesive manner, risks
emanating from across an enterprise.
Robert B. Hirth Jr., COSO Chair
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
2
Why update the ERM
framework now?
Since 2004, the market has continued to
evolve and the COSO Framework is
evolving with it.
•
Boards are expecting more from their
organization’s ERM practices and capabilities
•
Stakeholders are seeking greater transparency
and accountability
•
Business environments are increasingly
complex, technologically driven, and global
•
There is a need to incorporate lessons learned
from recent events and the bar is rising
•
Risk professionals are looking for a more up to
date resource describing ERM concepts
•
The range of ERM practices continues to
evolve
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
3
www.pwc.com
Introducing COSO ERM
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
What is a company (really!) asking for…
Companies are not looking for (enterprise) risk
management on itself, companies are looking
for the following benefits:
-
Reduce surprises and losses
-
Reduce performance variability
-
Improve resource deployment
-
Identify and manage entity wide risks
-
Increase the range of opportunities
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Since the recent
publication of
COSO ERM, many
clients have
already been
asking PwC where
to begin…
5
COSO’s history – The Treadway Commission
Committee Of Sponsoring Organizations (COSO) of the
Treadway Commission was formed as a joint initiative
to combat corporate fraud. COSO is supported by five
supporting organizations:
Target audience:
1.
2.
3.
4.
5.
Directors
Supervisors
Auditors
Specialists: finance, control, risk, compliance, etc
Management
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
COSO Mission
To provide thought leadership through
the development of comprehensive
frameworks and guidance on enterprise
risk management, internal control and
fraud deterrence designed to improve
organizational performance and
governance and to reduce the extent of
fraud in organizations.
6
COSO’s 2004
Enterprise Risk
ManagementIntegrated
Framework
is one of the
world’s most
widely used risk
management
frameworks.
COSO and PwC have collaborated on
frameworks and publications for 25 years
www.coso.org
2004
2017 Publication
Other COSO publications authored by PwC
2013 Internal Control – Integrated
Framework Executive Summary
2013 Internal Control – Integrated
Framework
2012 Understanding and
Communicating Risk Appetite
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
2006 Internal Control over Financial
Reporting Guidance for Smaller Public
Companies
1992 Internal Control – Integrated
Framework
7
Other risk management standards
Standards and/or frameworks may be internally
developed or based on external publicly
accessible standards / frameworks such as:
• Basel II / III – issued by the Basel Committee
on Banking Supervision
• AS/NZS 4360:2004 Risk Management – the
Australian standard for RM
• ABIB
• Turnbull
• ISO 73/31000
• Open Compliance & Ethics Group (OCEG)
• M_o_R
• AIRMIC
Standard
Financial
Profit
Non-profit
services
sector
(N=251)
(N=57)
(N=251)
None
10,5
49,1
45,4
51,3
COSO
64,9
29,3
20,3
26,3
INK/EFQM
10,5
12,0
31,5
20,4
ISO 31000
17,5
4,4
12,0
12,0
6Sigma
5,3
11,2
3,6
8,0
Basel
63,2
0,1
1,2
0,7
M_o_R
3,5
14,3
4,4
4,6
Aus/NZL
1,8
0,1
1,2
0,7
OCEG
1,8
10,0
0,4
0,4
AIRMIC
1,8
-
0,4
0,3
Other
19,3
5,1
12,0
11,7
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
2014
8
Written from the perspective
of the business
Inset a quotable quote…
The Framework was written from the perspective of the
business to facilitate the integration of ERM and support
acceptance and adoption by the business
• There is often a ‘siloed’
approach to risk that is
separate from the day to
day management of an
organisation.
• Risk management is
perceived as an
incremental activity
performed by those
independent of the
business.
• The lack of integration can
contribute to difficulties
engaging with the business,
the ability to gain and offer
insight and ultimately curbs
the value that ERM can
offer.
• The Framework endeavors
to removes risk ‘jargon’ and
adopts the language of
business to discuss
concepts and practices
• By using the same
language, the Framework
hopes to promote
acceptance and adoption of
ERM by the organization
Note: In practice, ERM often
refers to a team, department
or as a part of the ‘lines of
defense’ however, in the
Framework it is discussed in
the context of an
organisation’s culture,
capabilities and practices used
to manage risk
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
9
Reasons for the implementation of the COSO
(ERM) framework
1.
COSO is the first worldwide acknowledged framework for IC
2.
Industry and geographically independent
3.
Voluntarily instead of obligatory
4.
Comprehensive, including practical implementation techniques
5.
Is most referred to
6.
Most other frameworks are based on COSO
7.
Rapidly the most accepted standard for ERM
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
10
www.pwc.com
What’s new?
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Introducing the 10 key changes to the
2017 Framework
A new framework structure–five
components and twenty principles that
align to the business lifecycle, making to
risk conversation more intuitive for you
Explores the different benefits of
ERM–from loss mitigation through to
strategic advisor and how they inform the
design of a Framework
A focus on integrating risk
management–linking risk with
strategy setting and day-to-day activities,
helping you to use ERM principles to
support the creation, realization, and
preservation of value
Suite of new graphics highlighting
the relationship between risk and
performance demonstrating a new way
Written from the perspective of the
business–risk management concepts
are discussed in terms of helping an
organization create value, enabling you
to realize true benefits from ERM
Deeper discussions on challenging
topics–such as risk appetite and the
portfolio view of risk
Explores management of risk at all
altitudes of the organization–from
entity level through to procedural level
risks, making ERM more than just an
isolated view of risk in the business.
Addresses the evolving role of
technology–in influencing an
organization’s strategy, business context
and how it manages risk
Greater emphasis on culture–
reflecting the changing demands and
expectations of today’s markets, helping
your organization make responsible risk
PwC | COSO Enterprise Risk Management
– Integrating with Strategy and Performance
decisions
identify and assess the relationship
between the amount of risk and the level of
performance
Coming soon: Compendium of
Examples–highlighting the
implementation of principles across a
variety of industries and entity types
12
Focus on
integrating risk and strategy
The strategy setting process is a critical area of
integration for enterprise risk management
• Strategic blunders account for a
majority of the losses in shareholder
value compared to operational events,
incidents or compliance failures
• Research suggests that organisations are
looking to strengthen the integration
between strategy and enterprise risk
management
81% of the greatest
losses in
shareholder value
since 2002 were
attributable to
‘strategic blunders’
*U.S. public companies around the world with at least US$1 billion in enterprise
value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle
and Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
13
COSO – From cube to string
2004 COSO ERM Graphic
Updated 2017 COSO ERM Graphic
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
14
The new framework emphasizes the value cycle
•
The figure illustrates strategy in the context of mission, vision, and core values, and as a
driver of an entity’s overall direction and performance
•
Integrating ERM with business activities and processes results in better information that
supports improved decision-making and leads to enhanced performance
•
The updated Framework enhances the conversation of risk across the whole value cycle of a
company
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
15
Mission, Vision and Core Values
Describes what do you strive to be and how do you want to
conduct business.
Example: healthcare provider
The mission and vision:
• Provide a view from up high about the acceptable types
and amount of risk;
• Help establish boundaries;
• Focus on how decisions may effect strategy.
Core Values are considered in the context of the culture
the entity wishes to embrace.
“An organization that understands its mission and vision
can set strategies that will yield the desired risk profile”
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
16
Strategy, Business objectives & Performance
Three dimensions regarding the relationship between Risk and Strategy:
1.
Risk of: Possibility of strategy and business objectives not aligning
Example HC provider: If strategy would be to focus on being the best specialist services provider, it would
probably not be successful in providing a comprehensive range of patient services (mission).
2. Risk from: Implications from the strategy chosen
Example HC provider: What is the type and amount of risk the organization is potentially exposed to,
having adopted this strategy? What are the assumptions underlying this strategy, and would changes to
these assumptions have little or great impact on achieving the strategy?
3. Risk to: Risk to strategy and performance
Example HC provider: Objective is to deliver high quality care, therefore the organization considers risks
relating to employee capability, medical care treatment, healthcare legislation reform, access to electronic
health records, etc.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
17
Enhanced performance
•
There is always risk associated with a target of performance!
•
The amount of uncertainty that exists is related to the amount of risk to performance:
• E.g. agriculture producers are uncertain about their ability to produce enough to meet
customer demands and profitability targets;
• Airlines are uncertain about their ability to operate all flights on their schedule.
Relation risk & performance
= Risk Profile
Considering Risk Appetite and
Acceptable Variation in Performance
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
18
The new Framework adopts a components
and principles structure
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
20
Component 1: Governance & Culture (1)
•
Governance and culture together form the basis for all other components of ERM.
•
Governance determines the ‘tone’, indicates the importance of ERM and ensures adequate
supervision.
•
Culture includes ethical values, desired behaviour, and understanding of risk within the entity.
Component 1 consists of the following principles:
1
Exercises Board
Risk Oversight
 The board of directors provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and business objectives.
2
Establishes
Operating
Structures
 The organization establishes operating structures in the pursuit of strategy and business
objectives.
3
Defines Desired
Culture
 The organization defines the desired behaviours that characterize the entity’s desired
culture.
4
Demonstrates
Commitment to
Core Values
 The organization demonstrates a commitment to the entity’s core values.
5
Attracts, Develops,
and Retains
Capable Individuals
 The organization is committed to building human capital in alignment with the strategy and
business objectives.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
21
Component 1: Governance & Culture (2)
1. Exercises Board
Risk Oversight
• Aansprakelijkheid
en
verantwoordelijkheid van hoger
management
2. Establishes
Operating Structures
• Operating model
4. Demonstrates
Commitment to Core
Values
5. Attracts, Develops,
and Retains Capable
Individuals
• Cultuur
karakteristieken
• Fundamentele
waarden
• Gewenst gedrag
• Risicobewuste
cultuur creëren
• Vaststellen en
evalueren van
benodigde
competenties
3. Defines Desired
Culture
• Rapportage lijnen
• ERM structuur
• Deskundigheid,
ervaring en kennis
van de business
• Onafhankelijkheid
van hoger
management
• Cultuur spectrum
• Rechten, rollen en
verantwoordelijkheden
• In lijn brengen van
fundamentele
waarden,
besluitvorming en
gedrag
• Goed begrip van
de waarde die
ERM toevoegt
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
• Gedragsstandaarden in lijn
met cultuur
• Open
communicatie
• Evalueren en
managen van
afwijkingen
• Aantrekken,
trainen,
begeleiden,
beoordelen en
behouden van
werknemers
• Beloningen
• Successieplanning
22
Managing culture in organizations
Sustainably successful organizations are characterized by a strong similarity between the actual and
the desired culture. These are organizations that have embedded core values to their daily actions.
Commit
Discipline
Support
Trust
Constraint
Aligned?
Identity,
brand
promise,
strategy
Desired
Stake-Culture
holders,
environment
Governance
risk, control
Behavior
Walk the talk?
Moments that
matter?
What to improve?
Control
Compliance
Actual
Culture
Symbols and
decisions
Contract
Systems and
structures
Dialogue?
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
23
De waarde van een zinvolle risicodialoog
Risk dialogue:
Continuous dialogue, discussion and debate within organizations, resulting in a better
understanding of complexity by decision makers and internal supervisors.
A meaningful risk dialogue indicates:
•
The importance of diversity
•
The importance of the right attitude and being “competent”
•
The importance of out of the box thinking (e.g. beyond organizational boundaries)
•
Appreciation of (risk) culture (challenge, chronic unease)
•
Awareness of human limitations*
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
24
Risicocultuur en risk appetite
Risk culture is linked to the conversation of
management’s attitude towards
risk taking
Risk Averse
Risk Neutral
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Risk Aggressive
25
Component 2: Strategy & Objective-Setting (1)
•
ERM is integrated into the strategic plan.
•
The understanding of business context is required to assess internal and external factors (and
their impact on risk).
•
Determining the risk appetite is part of strategy planning/determination.
Component 2 consists of the following principles:
6
Analyzes Business
Context
 The organization considers potential effects of business context on risk profile.
7
Defines Risk
Appetite
 The organization defines risk appetite in the context of creating, preserving, and realizing
value.
8
Evaluates
Alternative
Strategies
 The organization evaluates alternative strategies and potential impact on risk profile.
9
Formulates
Business
Objectives
 The organization considers risk while establishing the business objectives at various levels
that align and support strategy.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
26
Component 2: Strategy & Objective-Setting (2)
6. Analyzes Business
Context
• Business context =
dynamisch, complex &
onvoorspelbaar
• Rekening houden met
interne en externe
omgevingen en
stakeholders
7. Defines Risk Appetite
• Risk appetite
vaststellen
• Risk appetite
verwoorden
• Vaststellen doel,
range, boven- en
ondergrens
8. Evaluates Alternative
Strategies
9. Formulates Business
Objectives
• Implicaties van de
gekozen strategie
begrijpen
• Business doelen
vaststellen
• Strategie in lijn
brengen met de risk
appetite
• Strategiewijzigingen
maken
• Risk appetite
cascaderen en
toepassen
• Business doelen in lijn
brengen met de
strategie
• Implicaties van de
gekozen doelen
begrijpen
• Categoriseren van
doelen
• Prestatie indicatoren,
targets en risico
tolerantie
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
27
The business context defines the risk profile…
Now:
MONOPOLIST
FOUNDATION / STATE
PARTICIPATION
ACTIVE IN NL ONLY
SENSITIVE TO FRAUD
REGULATED ON SEVERAL THEMES
OFF-LINE MARKET ONLY
Future:
MARKET PARTY
SENSITIVE TO FRAUD
LIMITED/PUBLIC COMPANY
REGULATED ONSEVERAL THEMES
ACTIVE IN NL AND OUTSIDE NL?
?
?
?
OFF-LINE AND ON-LINE
MARKET
…And therefor influences the risk appetite
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
28
An example: Risk appetite
3
Now
(untill privatization)
3
Future
(after privatization)
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
3
Strategic
Service
Reputation
Financial
Compliance
Very High
(5)
3
Impact on realization of strategic
goals and competitiveness
Impact on quality of service (client
satisfaction)
3
3
Impact on reputation and / or
relationship with external stakeholders
3
3
Impact on profit and loss statement
and / or balance.
3
3
Impact in form of penalties imposed
by supervisor or supervisory pressure
3
3
Very Low (1)
Low (2)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Medium (3)
High (4)
Very High (5)
29
Risk appetite nader ‘vertaald’
Risk appetite (risicobereidheid):
“De hoeveelheid risico (per type), op een hoog abstractieniveau, die een organisatie bereid is te
nemen in het nastreven van waardecreatie.”
• “Risicomanagementcriteria”:
o Waarderingscriteria
42% heeft de risicobereidheid bepaald
Risicobereidheid karakteristieken
Percentage
Kwalitatief bepaald
77,0
o Eventueel onderscheid naar risicotype
Kwantitatief bepaald
68,2
o Risicotolerantie (KRI’s)
Specifiek bepaald voor één of
48,2
o Duidelijke grens voor het nemen van
(aanvullende) risk management
maatregelen (i.p.v. top 5 of top 10)
o Wanneer welke risicostrategie
• Maar ook “operationele criteria”:
o Procuratieschema
o Investeringscriteria
meerdere risicogroepen
Risicobereidheid vastgelegd
66,2
Risicobereidheid gecommuniceerd
61,0
o Tendercriteria
o Dashboard criteria (kleurcodes)
o Ranges rondom doelen
o Etc.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
30
Component 3: Performance (1)
•
Identification and assessment of risks which are threatening the realization of strategy
•
Prioritization of risk based on size / severity and in line with the risk appetite.
•
Selecting van “risk responses” and monitoring performance
•
In this manner, the organization develops a “portfolio view” of the total amount of risks to
which the organization is exposed.
Component 3 consists of the following principles:
10
Identifies Risk
 The organization identifies risk that impact the performance of strategy and business
objectives.
11
Assesses Severity
of Risk
 The organization assesses the severity of risk.
12
Prioritizes Risks
 The organization prioritizes risks as a basis for selecting responses to risks.
13
Implements Risk
Responses
 The organization identifies and selects risk responses.
14
Develops Portfolio
View
 The organization develops and evaluates a portfolio view of risk.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
31
Component 3: Performance (2)
10. Identifies Risk
• Risicoregister
• Identificeren van
risico’s d.m.v. data
analyse,
interviews,
workshops, proces
analyse, etc.
11. Assesses Severity
of Risk
• Meten van de
impact van risico’s
• Beoordelen van
risico’s d.m.v.
kwalitatieve en/of
kwantitatieve
benadering
12. Prioritizes Risks
• Criteria opstellen
voor
risicoprioritering
• Risicoprioritering
in lijn met de risk
appetite
• (Grafisch)
presenteren van
risicobeoordeling
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
13. Implements Risk
Responses
• 5 categorieën:
accepteren,
vermijden,
nastreven,
reduceren en
overdragen
• Selecteren van
risk response aan
de hand van
factoren zoals
business context,
kosten vs.
opbrengsten, risk
appetite, etc.
14. Develops Portfolio
View
• 4 niveaus:
minimale
integratie,
beperkte
integratie,
gedeeltelijke
integratie en
volledige integratie
• Analyseren van
portfolio view
d.m.v. kwalitatieve
en/of kwantitatieve
technieken
32
Prioritizing risks
By the use of 5 criteria:
1. Adaptability
2. Complexity
3. Velocity
4. Persistence
5. Recovery
The capacity to adapt and respond to risks.
•
e.g. responding to changing demographics such as age of the population.
The scope and nature of a risk to the entity’s success.
•
Interdependency of risks will typically increase complexity.
The speed at which a risk impacts an entity.
•
This may move the entity away from the acceptable variation in performance
How long a risk impacts an entity.
•
e.g. immediacy of disrupted operations versus long-term reputational impact.
The capacity of an entity to return to the acceptable variation in performance.
•
e.g. continuing to function after a severe natural disaster.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
33
Risk Responses
Doel: resterend risico binnen gewenste risicotolerantie brengen
Vijf risk respons categorieën:
• Accepteren (“accept”)
• Vermijden (“avoid”)
• Nastreven (“pursue”)
• Reduceren (“reduce”)
• Overdragen (“share”)
Avoid
• Staken activiteiten
• Uit de markt terugtrekken
• Desinvesteren
• Doelen veranderen
• Schaal verkleinen
Reduce
Omgaan met risico vereist
aanpassing van:
• Organisatie
• Mensen & Relaties
• Richting
• Uitvoering
• Monitoring
Share
• Verzekeren
• Delen (JV, allianties,
partnerships)
• Contracteren (outsource,
toewijzen)
• Diversificatie / spreiden
• Hedge
Accept
• Opzettelijk najagen
• Totale acceptatie
• Financier de
consequentie
• Hou rekening met
onzekerheid
Pursue
• Aannemen groeistrategieën
• Uitbreiden activiteiten
• Ontwikkeling nieuwe
producten en diensten
Management hanteert een organisatiebrede, of portfolio, kijk op risico om te bepalen of het
restrisico overeenkomt met de gewenste risk appetite van de organisatie.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
34
De key risks
Key risks
8
10
1
Avoid
High
Note: mapping on the
strategy map provides an
explicit insight in how risks
potentially impact the
objectives and strategy
Practical
Considerations
4
2
7
Reduces
and/or
share 6
5
11
9
12
Impact
Med
3
• Objective is to drive
action and allocation of
resources
• Begin to define – at a
high level - the
organizational risk
response strategy
Accept
Low
Low
Medium
High
Likelihood
Note: Risks are evaluated on likelihood and impact here – certain risks may warrant more
complex or quantitative risk measurement models
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
35
Mappen van risico’s op de strategiekaart
Toenemende werkdruk
Financieringssystematiek
Uitwisseling patiëntinformatie
Privacywetgeving
Eindverantwoordelijkheid multidisciplinaire ziektebeelden
…
Agressie in de zorg
Beschikbaarheid IT
Toenemende volumenormen
Onhygiënisch handelen
…
…
Kwalitatief personeel vasthouden
Collectieve toetsing specialisten
…
Krapte arbeidsmarkt
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Innovatieniveau
May, 2013
36
3
Component 4: Review & Revision (1)
•
Changes in the internal and external environment can ensure that the chosen strategy is no
longer optimal.
•
By evaluating performance, an organization can determine how well the ERM components
function over time and under influence of significant changes.
•
Organizations can systematically identify and implement improvements in their ERM by
continuously evaluating.
Component 4 consists of the following principles:
15
Assesses
Substantial Change
 The organization identifies and assesses changes that may substantially effect strategy and
business objectives.
16
Reviews Risk and
Performance
 The organization reviews entity performance results and considers risk.
17
Pursues
Improvement in
ERM
 The organization pursues improvement of enterprise risk management.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
37
Component 4: Review & Revision (2)
15. Assesses Substantial
Change
• Veranderingen in de
interne omgeving
• Veranderingen in de
externe omgeving
16. Reviews Risk and
Performance
• Prestaties beoordelen
• Beoordelen en
aanpassen van doelen,
strategie, cultuur, risk
appetite, etc. indien
targets niet behaald
worden
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
17. Pursues Improvement in
ERM
• Nastreven van
verbeteringen
(bruikbaarheid en
efficiëntie) in ERM
• Continue evaluatie
38
Feedback gedurende het proces zorgt voor continue
verbetering van (omgaan met) risico’s en RM
Risico-elementen als onderdeel van de
management cyclus:
Control
verbetering
Risico
analyse
Control
design
Control
evaluatie
Control
monitoring
RM kan op verschillende niveaus
worden toegepast:
•
•
•
•
•
•
•
Groepsniveau
Regio niveau
Vestiging niveau
Project niveau
Proces niveau
IT niveau
Afdeling niveau
Om de doelstellingen te realiseren:
Control
implementatie
•
•
•
•
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Strategisch
Operationeel
Rapportage
Compliance
39
Component 5: Information, Communication, &
Reporting (1)
•
Communication = het continuous process of obtaining and sharing information
•
Management uses relevant and qualitatively good information from internal and external
sources to support ERM.
•
The organization uses information systems to capture, process and manage data in
information.
Component 5 consists of the following principles:
18
Leverages
Information and
Technology
 The organization leverages the entity’s information systems to support enterprise risk
management.
19
Communicates
Risk Information
 The organization uses communication channels to support enterprise risk management.
20
Reports on Risk,
Culture, and
Performance
 The organization reports on risk, culture, and performance at multiple levels and across the
entity.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
40
Component 5: Information, Communication, &
Reporting (2)
18. Leverages Information
and Technology
19. Communicate Risk
Information
• Relevante informatie
gebruiken
• Communiceren met
stakeholders
• Data analyse
• Communiceren met de
Board
• Kwaliteit van informatie
bewaken
• Categoriseren van
informatie
• Diverse
communicatievormen en
methoden
• Data management
20. Reports on Risk, Culture,
and Performance
• Identificeren gebruikers
• Verschillende typen
rapportages
• Rapporteren aan de
Board
• KPI’s en KRI’s
• Frequentie: dagelijks,
maandelijks, per
kwartaal, etc.
• Geavanceerde
technologieën gebruiken
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
41
Een gemeenschappelijke risicotaal
•
Standaard risicocategorieën en definities (risicomodel) ter bevordering van
ondubbelzinnige risicocommunicatie
29. Capacity risk
30. Leadership risk
31. Management fraud risk
•
Insufficient resources threatens the firm’s ability to meet customer demands, or
excess capacity threatens the firm’s ability to generate competitive profit
margins.
The firm’s people are not being effectively led, which may result in a lack of
direction, customer focus, motivation to perform, management credibility and
trust throughout the firm.
Intentional misstatement of financial statements or misrepresentation of the
firm’s capabilities or intentions may adversely affect external stakeholders’
decisions.
Gemeenschappelijk begrip van risicomanagement termen om misinterpretaties in de
uitvoering van risicomanagement processen te voorkomen
Event
Inherent risk
Risk tolerance
An incident or occurrence, from sources internal or external to an entity, that
affects achievement of objectives.
The risk to an entity in the absence of any actions management might take to
alter either the risk’s likelihood or impact.
The acceptable variation relative to the achievement of an objective.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
42
KRI’s verschillen van KPI’s
Performance indicators (KPI’s)
•
Focussen op behaalde resultaten;
•
Worden gebruikt voor het monitoren van operationele efficiëntie; alarmbellen gaan af als
de indicatoren een vooraf vastgestelde grens overschrijden.
Risk indicators (KRI’s)
•
Focussen op risico tracking, zijn ontworpen om continue risico’s te monitoren en om
waarschuwingen af te geven als een risico toeneemt en/of beheersmaatregelen niet
functioneren;
•
Zijn over het algemeen meer proactief, KRI’s focussen zich op het “waarom” en helpen bij
het identificeren van zwakheden voordat een probleem zich voordoet.
23% heeft KRI’s opgenomen in
de rapportage
Key Risk Indicators
Key Performance Indicators
•Transactievolume vs. optimale capaciteit
• Aantal transacties per seconde
• Fouten in proces X
• Kostenbesparing in proces X
• Verliezen door fraude voor business unit Y
• Opbrengstengroei voor business unit Y
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
43
Risk Reporting: example Key Risk Indicators
Key Risks
Lagging
Risk Drivers
Over-supplied
Avg. days of Inv. (material) •
•
Slow-moving % (3M)
$ Disposal value
•
•
•
Lead time (imported)
Material Shortage %
Increase of
Slow-moving items
% on time delivery (imported)
Excess order
Dependency on
specific suppliers
Leading
•
•
•
Automated order %
Excess order %
(needed vs. ordered)
•
•
Sole Vendor item %
% Concentration of suppliers)
Inconsistency suppliers
(bankrupt, pulled out, …)
Inaccuracy of BOM
BOM error %
# of halted/suspended
Frequent changes to
Production Plans
Delay of new product project
Pre-order $ before
mass-production
% variability of production plan
Discontinued items
% of items with sharp dropped
value
•
•
% Cost saving on purchasing
Material cost % (to Total cost)
Increase of market price of
raw material
Late Delivery
$ potential slow-moving (1M)
Overload at Purchasing
•
•
•
% of new item registered
% of item w/o registered
unit price
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Fraud/
Embezzlement
High Cost
Unstable supplies
Unit cost variability
Limited ways for cost saving
• % cost savings by types
(negotiating, development of
new vendors, sources, etc)
• % Geographical proportion
of sources
Limited information/negotiation
•
•
•
Cost gap among divisions
Turn over % at purchasing
% of certified member
Insufficient supplier
management
Preferential purchasing
• # of suppliers with sharp
increase of order volume/$
• Changes of pre-defined
Quotas
• Abnormal increase unit price
• Change of terms of payment
Fictitious supplier
Duplicated
invoices
Conflicts of interest
Supplier assessment
results
44
www.pwc.com
Concluding
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Percentage of
respondents that
stated
implementation
of effective ERM
Frameworks
as the most
common
challenge in
deriving its
expected benefits
Practical ideas for how to get
started…
1) Identify the benefits
being sought from ERM by
your organization
2) Determine the desired
integration of enterprise
risk management within the
organisation
3) Prioritize the
initiatives and resources
required to implement or
enhance existing cultures,
capabilities and practices
Aligning Culture
Augmenting
Capabilities
Enhancing
Practices
•
•
•
Secure board and senior
management
endorsement for
implementing or enhancing
the Enterprise Risk
Management Framework
Incorporate risk
management
expectations into
training and incentives to
enhance consistency in
decision-making
Communicate and clarify
roles and responsibilities for
risk management
•
Invest in tools, templates
or technology that support
risk management activities
and decision-making
•
Include third party
providers and vendors in
discussions on risk and
performance
•
Encourage discussion of
entity’s risk appetite and
profile within governance
forums and as part of
management decisionmaking
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
•
Evaluate whether
current practices align
with desired integration
and achieve benefits sought
from ERM
•
Review risk
identification,
assessment,
prioritization and
response processes for
opportunities for
enhancement
•
Analyse reporting
practices for opportunities
to further integrate with
performance Insert date here
reporting
46
Risicomanagement: hoe laat ik het werken
• Existence
: is a adequate system/approach available?
• Communication
: is it conveyed to relevant people?
• Understanding
: do they understand it?
• Support
: does management support the implementation?
• Monitoring
: is there an effective process for monitoring it?
• Enforcement
: has management a plan in place for enforcing it?
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
47
De menselijke maat telt
Een kwalitatief goede uitvoering van risicomanagement lijkt gebaat bij
en richt zich veelal op een sterke instrumentele benadering!
Echter de menselijk maat is leidend voor het succesvol toepassen van
risicomanagement. De belangrijkste aandachtspunten zijn:
• Groepsprocessen zijn de sleutel tot een kwalitatief goed risicoprofiel, dialoog
en actiegerichtheid liggen daaraan ten grondslag;
• Communiceer over risico’s en de wijze hoe ermee wordt omgegaan;
• Zorg voor verantwoordelijkheid, aanspreekbaarheid en eigenaarschap van
risico’s;
• Risicomanagement kan als bedreigend worden ervaren; de transparantie
leidt tot kwetsbaarheid en biedt zicht op performance;
• Zorg voor een RM taal.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
48
Concluderend
• COSO ERM is een manier, niet een doel op zich
• COSO ERM is niet limitatief
• COSO ERM dient gezien te worden als een verbeteringscyclus; niet
als ogenblikkelijke perfectie
• COSO ERM verschaft geen ‘one-size-fits-all’ oplossing
• COSO ERM is niet verplicht; je kan het doen op je eigen manier
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
49
www.pwc.com
More information
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Staying involved
Access the Framework at the COSO ERM Spark!-website (internal use only)
View videos, blogs and articles at www.pwc.com/coso-erm
Thomas R. Malthusstraat 5
P.O. Box 9616
1006 GC Amsterdam
The Netherlands
T: +31 (0)88 792 7665
M: +31 (0)6 51 22 52 70
marcel.prinsenberg@pwc.com
Thomas R. Malthusstraat 5
P.O. Box 9616
1006 GC Amsterdam
The Netherlands
T: +31 (0)88 792 46 18
M: +31 (0)6 22 93 91 85
roy.van.der.sluis@pwc.com
Marcel Prinsenberg
Senior Director Risk Consulting
Roy van der Sluis
Manager Risk Consulting
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
51
Compendium of Examples
A compendium of
examples is also being
developed. The proposed
compendium will
illustrate:
•
All principles
• A variety of entity sizes
from global through to
national, regional, and
local entities
• A variety of industry types
Coming Soon….
Coming Soon
• Actual company practices
and be augmented with
expected practices in select
areas, as needed
• Written from the
perspective of
the business
Examples:
• Governance in a higher
education institution
• Culture in a government entity
• Culture in a financial services
company
• Strategy and objective-setting
in an energy company
• Strategy and objective-setting
in a not-for-profit entity
• Performance in a consumer
products company
• Performance in a technology
company
• Review and revision in an
industrial products company
• Risk information in a
healthcare company
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
52
www.pwc.com
Bijlagen
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Explores the benefits of ERM
Increasing the
range of
opportunities
By considering all
possibilities, both
positive and
negative aspects
of risk,
management can
identify new
opportunities and
associated
challenges
Identify and
manage risks
entity-wide
Management
identifies and
manages these
entity-wide risks
to sustain and
improve
performance
Increasing
positive
outcomes
Improve
management’s
ability to identify
risks and
establish
appropriate
responses,
reducing
surprises and
related costs or
losses
• Enterprise risk management frameworks are as varied as the
organizations they support.
• In their infancy, many frameworks focus on increasing
positive outcomes and identifying entity-wide risks.
• Boards, senior management and stakeholders are
increasingly expecting ERM to reduce performance
variability, improve resource deployment and enhance
enterprise resilience.
• This will often require that the capabilities and practices of
an organization to evolve in line with increasing expectations.
Reducing
performance
variability
Management can
anticipate the
risks that would
affect
performance and
put in place the
actions needed to
minimize
disruption and
maximize
opportunity
Improving
resource
deployment
Risk information
enables
management, in
the face of finite
resources, to
prioritize resource
deployment and
enhance
resource
allocation
Enhancing
enterprise
resilience
Enhance
management’s
ability to
anticipate and
respond to
change, not only
to survive but
also to evolve
and thrive
• The effectiveness of an enterprise risk management
Framework is founded on fostering, designing and
implementing the culture, capabilities and practices that
align to intended benefits.
• A more detailed discussion of the benefits of ERM can be
found in the COSO Executive Summary
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
54
Explores managing risk at all
altitudes of the organization
The Framework highlights that risks
emanate and must be managed
at all levels of the organization.
The Framework explores how risks
can manifest at multiple levels within
an organization with some risks
directly impacting the entity strategy
while others impacting business
objectives.
The Framework also addresses how
risks can change in severity and
prioritization at different levels
of the organization and how the
impacts of correlation and
diversification are considered when
analyzing the risk profile of portfolio
view of risk.
• Risk frameworks should ensure
existing risk identification and
assessment practices account for
risks occurring at different levels
of the organization
Entity Strategy
Entity Level Business
Objective 1
Business
Objective 1
Risk 1
• Risk capabilities should account
for how risk ratings and
responses may exist and change
at different altitudes within an
organization
Risk 2
Entity Level Business
Objective 2
Business
Objective 2
Risk 3
Business
Objective 3
Risk 4
• Management should designate
appropriate roles and
responsibilities for the
management of risk and
execution of risk responses
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
55
32
Where to next?
Encourage your risk professionals to:
Challenge your organisation to not:
•
Sync with the language of business in your
organisation
•
View ERM simply as a function, team
or department
•
Understand how organisation creates,
realises and preserves value and the
supporting assumptions
•
Consider ERM to be a stand alone,
periodic risk assessment or heat map
•
•
Develop a clear understanding of where
ERM is integrated
View GRC technology as the entire
approach for implementing ERM
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
56