Transcription
COSO ERM Update– Applying the NewFrameworkPaul J. Sobel, CIA, QIAL, CRMACOSO ChairmanChief Risk Officer – Georgia-Pacific1
Focus of Presentation Market Acceptance of the COSO ERM Framework Using COSO ERM to Evaluate and Advance RiskManagement COSO/WBCSD Joint ESG Guidance Other Guidance Updates2
New Graphics/Concepts Are EmbracedGraphic has stronger ties to the business model3
Links to Strategy Are Better UnderstoodExplores strategy from three different perspectives:The possibility of strategy and business objectives not aligning with mission, visionand valuesThe implications from the strategy chosenRisk to executing the strategy4
Emphasis on Culture is ResonatingAddresses the growing focus, attention and importance of culture withinenterprise risk managementExplores culture within the broader context of overall core valuesDepicts culture behavior within a risk spectrumExplores the possible effects of culture on decision making5
Still Questions on Links to Internal ControlThe document does not replace the 2013 InternalControl – Integrated FrameworkThe two frameworks are distinct and complementaryBoth use a components and principles structureAspects of internal control common to enterprise riskmanagement are not repeatedSome aspects of internal control are developedfurther in this framework6
Compendium of ExamplesThe compendium illustrates: All principles A variety of entity sizes from globalthrough to national, regional, and localentities Actual company practices andaugmented with expected practices inselect areas, as needed An ERM perspective from the businessmindset7
Principles Illustrated in Compendium Primary examples Secondary illustrations8
Evaluating and Advancing ERM Start with education–Components and principles–Role of ERM in strategic planning and value creation Evaluate current and desired ERM states:–Against 20 Principles–Consider a maturity approach Build on a SOX 404 assessment9
Assessing the Effectiveness of ERM10
Assessing the Effectiveness of ERM Assess current state against 20 principles–Questions on each principle–Nature of evidence for each principle Identify gaps to desired level for each principle Determine actions to close gaps–Short-term–Long-term11
The Global Landscape Continues to ShiftTop 5 Global Risks:impactTop 5 Global 1720182019Asset price collapseExtreme weather eventsSlowing Chinese economy( 6%)Failure of climate-changemitigation and adaptationChronic diseaseNatural disastersGlobal governance gapsData fraud or theftRetrenchment fromglobalizationCyberattacksAsset price collapseWeapons of mass destructionRetrenchment fromglobalization (developed)Failure of climate-changemitigation and adaptationOil and gas price spikeExtreme weather eventsChronic diseaseWater crisesFiscal crisesNatural TechnologicalSource: WEF 201912
Companies have been Impacted by the ChangingBusiness 520162017201813
Joint COSO/WBCSD Guidance on ESG Risks14
How Can This Guidance Help? Enhanced resilience A common language for articulating ESGrelated risks Improved resource deployment Enhanced pursuit of ESG-relatedopportunities Realized efficiencies of scale Improved disclosure15
Potential Updates to Existing Guidance Monitoring Guidance Understanding and Communicating Risk Appetite Practical Approaches to Creating and ProtectingOrganizational Value COSO in the Cyber Age16
Potential New Guidance Using COSO ERM to Manage Compliance Risks Blockchain and its Impact on Internal Controls and Implications forERM Psychology and Sociology of Fraud Assessment Tools for Risk Robotic Process Automation and Artificial Intelligence (no knownauthors at this time)17
Summary COSO ERM seems to be getting traction in the marketplace The five components and 20 principles can help assess theeffectiveness of ERM New ESG guidance may be helpful Pipeline of guidance starting to fill up18
Paul J. Sobel, CIA, QIAL, CRMACOSO Chairmanpaul.sobel@gapac.comwww.coso.org19
The document does not replace the 2013 Internal Control - Integrated Framework The two frameworks are distinct and complementary Both use a components and principles structure Aspects of internal control common to enterprise risk management are not repeated Some aspects of internal control are developed further in this framework
