COSO Enterprise Risk Management (ERM) Integrated Framework (2004) study guide mind map

1. see also COSO IC-IF mind map

2. Components (8) (front side)

2.1. What is it?

2.1.1. Represent what is required to achieve objectives.

2.2. Internal Environment

2.2.1. Summary:

2.2.1.1. The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the foundation for all other components of enterprise risk management, providing discipline and structure. Internal environment factors include an entity’s risk management philosophy; its risk appetite and risk culture; oversight by the board of directors; the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; and the way management assigns authority and responsibility, and organizes and develops its people.

2.2.2. Risk Management Philosophy

2.2.2.1. Value

2.2.2.2. Communicate in words and actions

2.2.3. Risk Appetite

2.2.3.1. Value

2.2.3.2. Qualitative

2.2.3.3. Quantitative

2.2.3.4. Linked to strategy

2.2.4. Risk Culture

2.2.4.1. Independent

2.2.4.2. Active

2.2.4.3. Involved

2.2.5. Board of Directors

2.2.5.1. Independent

2.2.5.2. Active

2.2.5.3. Involved

2.2.6. Integrity and Ethical values

2.2.6.1. Standards of behavior

2.2.6.2. Prerequisite

2.2.6.3. CEO example

2.2.6.4. Incentives

2.2.7. Commitment to Competence

2.2.7.1. Knowledge

2.2.7.2. Skills

2.2.7.3. Trade-offs

2.2.8. Management Philosophy and Operating Style

2.2.8.1. Formal vs. Informal

2.2.8.2. Conservative vs. Aggressive

2.2.8.3. Aligned

2.2.9. Organizational Structure

2.2.9.1. Reporting lines

2.2.9.2. Centralized / Decentralized

2.2.9.3. Matrix / Function / Geography

2.2.10. Assignment of Authority and Responsibility

2.2.10.1. Empowerment

2.2.10.2. Accountability

2.2.11. Human Resource Policies and Practices

2.2.11.1. Qualified

2.2.11.2. Training

2.2.11.3. Compensation

2.2.11.4. Incentives and Discipline

2.2.12. Differences in Environment

2.2.12.1. Management preferences

2.2.12.2. Value judgments

2.2.12.3. Management styles

2.3. Objective Setting

2.3.1. Summary:

2.3.1.1. Every entity faces a variety of risks from external and internal sources, and a precondition to effective event identification, risk assessment and risk response is establishment of objectives, linked at different levels and internally consistent. Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity’s activities.

2.3.2. Strategic Objectives

2.3.2.1. High-level goals

2.3.2.2. Support mission / vision

2.3.2.3. Strategic choices

2.3.3. Related Objectives

2.3.3.1. Operations

2.3.3.2. Reporting

2.3.3.3. Compliance

2.3.3.4. Safeguarding of assets

2.3.4. Selected Objectives

2.3.4.1. Align and support

2.3.4.2. Management decision

2.3.5. Risk Appetite

2.3.5.1. Growth, risk and return

2.3.5.2. Resource allocation

2.3.5.3. People, process and infrastructure

2.3.6. Risk Tolerance

2.3.6.1. Acceptable variance

2.3.6.2. Unit of measure of objective

2.4. Event Identification

2.4.1. Summary:

2.4.1.1. Management identifies potential events affecting an entity’s ability to successfully implement strategy and achieve objectives. Events with a potentially negative impact represent risks, which require management’s assessment and response. Events with a potentially positive impact may offset negative impacts or represent opportunities. Management channels opportunities back into the strategy and objective-setting processes. A variety of internal and external factors give rise to events. When identifying potential events, management considers the full scope of the organization. Management considers the context within which the entity operates and its risk tolerances.

2.4.2. Events

2.4.2.1. Incident

2.4.2.2. Positive and / or negative impacts

2.4.3. Factors Influencing Strategy and Objectives

2.4.3.1. Internal

2.4.3.2. External

2.4.4. Methodology and Techniques

2.4.4.1. Ongoing

2.4.4.2. Periodic

2.4.4.3. Past and future

2.4.4.4. Supporting tools

2.4.5. Event Inter-dependencies

2.4.5.1. Triggering events

2.4.5.2. Interrelate

2.4.6. Event Categories

2.4.6.1. Common groupings

2.4.7. Risks and Opportunities

2.4.7.1. Negative impact: risks

2.4.7.2. Positive impact: opportunity; offsets to risksInternal

2.5. Risk Assessment

2.5.1. Summary:

2.5.1.1. Risk assessment allows an entity to consider the extent to which potential events might have an impact on achievement of objectives. Management should assess events from two perspectives − likelihood and impact− and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Potentially negative events are assessed on both an inherent and a residual basis.

2.5.2. Inherent and Residual Risk

2.5.2.1. Before management actions

2.5.2.2. After management actions

2.5.2.3. Expected and unexpected

2.5.3. Likelihood and Impact

2.5.3.1. Expected, worse-case, distribution

2.5.3.2. Time horizons

2.5.3.3. Unit of measure

2.5.3.4. Observable data

2.5.4. Qualitative and Quantitative Methodologies and Techniques

2.5.4.1. Qualitative

2.5.4.2. Quantitative

2.5.4.3. Inherent and residual basis

2.5.5. Correlation

2.5.5.1. Sequence of events

2.5.5.2. Categories

2.5.5.3. Stress testing

2.5.5.4. Scenarios

2.6. Risk Response

2.6.1. Summary:

2.6.1.1. Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing and acceptance. In considering its response, management considers costs and benefits, and selects a response that brings expected likelihood and impact within the desired risk tolerances.

2.6.2. Identify Risk Responses

2.6.2.1. Avoid

2.6.2.2. Reduce

2.6.2.3. Share

2.6.2.4. Accept

2.6.3. Evaluate Possible Risk Responses

2.6.3.1. Impact

2.6.3.2. Likelihood

2.6.3.3. Cost versus benefit

2.6.3.4. Innovative responses

2.6.4. Select Response

2.6.4.1. Management decision

2.6.5. Portfolio View

2.6.5.1. Entity level

2.6.5.2. Business unit level

2.6.5.3. Inherent and residual basis

2.7. Control Activities

2.7.1. Summary:

2.7.1.1. Control activities are the policies and procedures that help ensure that management’s risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities − as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

2.7.2. Integration with Risk Response

2.7.2.1. Build directly into management processes

2.7.2.2. Interrelate

2.7.3. Types of Control Activities

2.7.3.1. Policies

2.7.3.2. Procedures

2.7.3.3. Preventative

2.7.3.4. Detective

2.7.3.5. Manual

2.7.3.6. Automatic

2.7.4. General Controls

2.7.4.1. Information technology management

2.7.4.2. Information technology infrastructure

2.7.4.3. Security management

2.7.4.4. Software development and maintenance

2.7.5. Application Controls

2.7.5.1. Completeness

2.7.5.2. Accuracy

2.7.5.3. Authorization

2.7.5.4. Validity

2.7.6. Entity-Specific

2.7.6.1. Entity specific strategies and objectives

2.7.6.2. Operating environment

2.7.6.3. Complexity of the entity

2.8. Information and Communication

2.8.1. Summary:

2.8.1.1. Pertinent information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems use internally generated data, and information about external events, activities and conditions, providing information for managing enterprise risks and making informed decisions relative to objectives. Effective communication also occurs, flowing down, across and up the organization. All personnel receive a clear message from top management that enterprise risk management responsibilities must be taken seriously. They understand their own role in enterprise risk management, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There is also effective communication with external parties.

2.8.2. Information

2.8.2.1. Internal

2.8.2.2. External

2.8.2.3. Manual

2.8.2.4. Computerized

2.8.2.5. Formal

2.8.2.6. Informal

2.8.2.7. Information systems architecture

2.8.3. Strategic and Integrated Systems

2.8.3.1. Strategic

2.8.3.2. Operational

2.8.3.3. Past and current

2.8.3.4. Level of detail

2.8.3.5. Timeliness

2.8.3.6. Quality

2.8.4. Communication

2.8.4.1. Internal

2.8.4.2. External

2.8.4.3. Entity-wide Expectations and responsibilities

2.8.4.4. Framing

2.8.4.5. Means of transmission

2.9. Monitoring

2.9.1. Summary:

2.9.1.1. Enterprise risk management is monitored – a process that assesses the presence and functioning of its components over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the normal course of management activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Enterprise risk management deficiencies are reported upstream, with serious matters reported to top management and the board.

2.9.2. Ongoing

2.9.2.1. Real-time

2.9.2.2. Built-in

2.9.2.3. Day-to-day operations

2.9.3. Separate Evaluations

2.9.3.1. Scope

2.9.3.2. Frequency

2.9.3.3. Self-assessments / Internal auditors

2.9.3.4. Extent of documentation

2.9.4. Reporting Deficiencies

2.9.4.1. Ongoing

2.9.4.2. External parties

2.9.4.3. Protocols

2.9.4.4. Alternative channels

3. Objectives categories (4) (top side)

3.1. What is it?

3.1.1. Are what an entity desires to achieve.

3.2. 4 columns represent categories of an entity’s objectives, not parts or units of the entity.

3.3. This categorization of entity objectives allows a board and management to focus on separate aspects of enterprise risk management.

3.4. These distinct but overlapping categories – a particular objective can fall under more than one category.

3.5. Strategic

3.5.1. High-level goals, aligned with and supporting its mission.

3.6. Operations

3.6.1. Effective and efficient use of its resources.

3.7. Reporting

3.7.1. Reliability of reporting.

3.8. Compliance

3.8.1. Compliance with applicable laws and regulations.

4. Entity Structure: / Entity and units (4) (third dimension)

4.1. What is it?

4.1.1. Represent the operating units, legal entities and other structures

4.2. Subsidiaries

4.3. Business unit

4.4. Division

4.5. Entity-Level

5. Basic Definitions (according to COSO)

5.1. Enterprise Risk Management (ERM)

5.1.1. Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

5.1.2. Is a process

5.1.2.1. Enterprise risk management is not one event or circumstance, but a series of actions that permeate an entity's activities.

5.1.3. Is effected by people

5.1.3.1. Enterprise risk management is effected by a board of directors, management and other personnel. It is accomplished by the people of an organization, by what they do and say.

5.1.4. Is applied in strategy setting

5.1.4.1. An entity sets out its mission or vision and establishes strategic objectives, which are the high-level goals that align with and support its vision or mission.

5.1.5. Is applied across the enterprise

5.1.5.1. To successfully apply enterprise risk management, an entity must consider its entire scope of activities. Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities such as marketing and human resources, to business processes such as production and new customer credit review.

5.1.6. Is designed to identify events potentially affecting the entity and manage risk within its risk appetite

5.1.6.1. Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite. Different strategies will expose the entity to different risks. Enterprise risk management, applied in strategy setting, helps management select a strategy consistent with the entity’s risk appetite.

5.1.7. Provides reasonable assurance

5.1.7.1. Well-designed and operated enterprise risk management can provide management and the board of directors reasonable assurance regarding achievement of an entity's objectives.

5.1.7.1.1. They understand the extent to which the entity’s strategic objectives are being achieved.

5.1.7.1.2. They understand the extent to which the entity's operations objectives are being achieved.

5.1.7.1.3. The entity’s reporting is reliable.

5.1.7.1.4. Applicable laws and regulations are being complied with.

5.1.8. Is geared to the achievement of objectives

5.1.8.1. Effective enterprise risk management can be expected to provide reasonable assurance of achieving objectives relating to the reliability of reporting and to compliance with laws and regulations. Achievement of those categories of objectives is within the entity’s control and depends on how well the entity’s related activities are performed.

5.2. Risk Appetite

5.2.1. Risk appetite is the amount of risk an entity is willing to accept in pursuit of value. Entities often consider risk appetite qualitatively, with such categories as high, moderate or low, or they may take a quantitative approach, reflecting and balancing goals for growth, return and risk.

5.2.2. Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite.

5.3. Risk Culture

5.3.1. Risk culture is the set of shared attitudes, values and practices that characterize how an entity considers risk in its day-to-day activities. For many companies, the risk culture flows from the entity’s risk philosophy and risk appetite. For those entities that do not explicitly define their risk philosophy, the risk culture may form haphazardly, resulting in significantly different risk cultures within an enterprise or even within a particular business unit, function or department.

5.4. Risk Subcultures

5.4.1. Individual business units, functions and departments will have slightly different risk cultures. Managers of some are prepared to take more risk, while others are more conservative, and these different cultures sometimes work at cross-purposes.

6. Enterprise risk management (ERM) provides enhanced capability to:

6.1. Align risk appetite and strategy

6.2. Link growth, risk and return

6.3. Enhance risk response decisions

6.4. Minimize operational surprises and losses

6.5. Identify and manage cross-enterprise risks

6.6. Provide integrated responses to multiple risks

6.7. Seize opportunities

6.8. Rationalize capital

7. COSO ERM-IF Cube (2004)

7.1. A direct relationship exists between objectives, components, and the entity structure which can be depicted in the form of a cube.

7.1.1. The objectives are represented by the columns.

7.1.2. The components are represented by the rows.

7.1.3. The entity structure is represented by the third dimension of the cube

8. Roles and Responsibilities

8.1. Board of Directors

8.2. Management

8.3. Risk Officer

8.4. Financial Officers

8.5. Internal Auditors

8.6. Other Entity Personnel

8.7. External Parties

8.7.1. External Auditors

8.7.2. Legislators and Regulators

8.7.3. Parties Interacting with the Entity

8.7.4. Outsource Service Providers

8.7.5. Financial Analysts, Bond Rating Agencies and the News Media

9. COSO ERM-IF serve as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management - Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.

10. This freeware mind map (aligned with the newest version of COSO ERM IF was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the standard and framework COSO ERM IF and as a learning tool for candidates wanting to gain COSO ERM IF knowledge. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

10.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com

10.1.1. http://www.linkedin.com/in/miroslawdabrowski

10.1.2. https://www.google.com/+MiroslawDabrowski

10.1.3. https://play.spotify.com/user/miroslawdabrowski/

10.1.4. http://www.miroslawdabrowski.com

10.1.5. https://twitter.com/mirodabrowski

10.1.6. miroslaw_dabrowski