COSO Enterprise Risk Management E-Book

Contents

Cover

Title Page

Copyright

Dedication

Preface

Chapter 1: Introduction: Enterprise Risk Management Today

The COSO Internal Controls Framework: How Did We Get Here?

The COSO Internal Controls Framework

COSO Internal Controls: The Principal Recognized Internal Controls Standard

An Introduction to COSO ERM

Governance, Risk, and Compliance

Global Computer Products: Our Example Company

Chapter 2: Importance of Governance, Risk, and Compliance Principles

Road to Effective GRC Principles

Importance of GRC Governance

Risk Management Component of GRC

GRC and Enterprise Compliance

Importance of Effective GRC Practices and Principles

Chapter 3: Risk Management Fundamentals

Fundamentals: Risk Management Phases

Other Risk Assessment Techniques

Chapter 4: COSO ERM Framework

ERM Definitions and Objectives: A Portfolio View of Risk

COSO ERM Framework Model

Other Dimensions of the ERM Framework

Chapter 5: Implementing ERM in the Enterprise

Roles and Responsibilities of an Enterprise Risk Management Function

Risk Management Policies, Standards, and Strategies

Business, IT, and Risk Transfer Processes

Risk Management Reviews and Corrective Action Practices

ERM Communications Approaches

CRO and an Effective Enterprise Risk Management Function

Chapter 6: Importance of Strong Enterprise Governance Practices

History and Background of Enterprise Governance: A U.S. Perspective

Enterprise Integrity and Ethical Behavior

Disclosure and Transparency

Rights and Equitable Treatment of Shareholders and Key Stakeholders

Governance Role and Responsibilities of the Board

Governance as a Key Element of GRC

Chapter 7: Enterprise Compliance Issues Today

Compliance Issues Today

Establish a Compliance Assessment Team

Compliance Risk Assessments and Compliance Program Reviews

Work Unit–Level Compliance Tracking and Review Processes

Compliance-Related Procedures and Staff Education Programs

Enterprise Hotline Compliance and Whistleblower Support

Assessing the Overall Enterprise Compliance Program

Chapter 8: Integrating ERM with COSO Internal Controls

COSO Internal Controls Background and Earlier Legislation

Efforts Leading to the Treadway Commission

COSO Internal Controls Framework

COSO Internal Controls and COSO ERM: Compared

Chapter 9: Sarbanes-Oxley and Enterprise Risk Management Concerns

Sarbanes-Oxley Act Background

SOx Legislation Overview

Enterprise Risk Management and SOx Section 404 Reviews

Internal Controls Reporting and Materiality

PCAOB Risk-Based Auditing Standards

Sarbanes-Oxley: The Other Sections

SOx and COSO ERM

Chapter 10: Corporate Culture and Risk Portfolio Management

Whistleblower and Hotline Functions

Risk Portfolio Management

Integrated Enterprise-Wide Risk Management

Chapter 11: OCEG Capability Model GRC Standards

GRC Capability Model “Red Book”

Other OCEG Materials: The “Burgundy Book”

Level and Scope of the OCEG Standards-Setting Authority

Chapter 12: Importance of GRC Principles in the Board Room

Board Decisions and Risk Management

Board Organization and Governance Rules

Corporate Charters and the Board Committee Structure

Audit Committees and Managing Risks

Establishing a Board-Level Risk Committee

Audit and Risk Committee Coordination

COSO ERM and Corporate Governance

Chapter 13: Role of Internal Audit in Enterprise Risk Management

Internal Audit Standards for Evaluating Risk

COSO ERM for More Effective Internal Audit Planning

Risk-Based Internal Audit Findings and Recommendations

COSO ERM and Internal Audit

Chapter 14: Understanding Project Management Risks

Project Management Processes

PMBOK® Guide: A Guide to the Project Management Book of Knowledge

PMBOK® Guide's Project Manager Risk Management Approach

Project-Related Risks: What Can Go Wrong

Implementing ERM for Project Managers

Chapter 15: Information Technology and Enterprise Risk Management

IT and the COSO ERM Framework

IT Application Systems Risks

Effective IT Continuity Planning

Worms, Viruses, and System Network Risks

IT and Effective ERM Processes

Chapter 16: Establishing an Effective GRC Culture throughout the Enterprise

First Steps to Establishing a GRC Culture: An Example

Promoting the Concept of Enterprise Risk

Establishing of Enterprise-Wide Governance Awareness

Enterprise Codes of Conduct

Building a GRC Culture: Risk, Governance, and Compliance Education Programs

Keeping the GRC Culture Current

Chapter 17: ISO 31000 and 38500 Risk Management Worldwide Standards

ISO Standards-Setting Process

Understanding ISO 31000

ISO 38500: The Corporate Governance of IT

Implementing an ISO Standard

Chapter 18: ERM and GRC Principles Going Forward

ERM and GRC for the Internal Controls Professional

COSO's Ongoing Support Role

COSO ERM and GRC Future Prospects

About the Author

Index

Copyright©2007, 2011 by John Wiley & Sons, Inc. All rights reserved. First edition 2007

Second edition 2011

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

“PMI” and “PMBOK” are registered marks for the Project Management Institute, Inc.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty:While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Moeller, Robert R

COSO enterprise risk management : establishing effective governance, risk, and compliance

processes / Robert R. Moeller.—2nd ed.

p. cm.—(Wiley corporate f&a; 560)

Includes index.

ISBN 978-0-470-91288-1 (hardback); ISBN 978-1-118-10252-7 (ebk);

ISBN 978-1-118-10253-4 (ebk); ISBN 978-1-118-10254-1 (ebk)

1. Risk management. I. Title.

HD61.M568 2011

658.15'5—dc22

2011012021

To my wife and very best friend, Lois Moeller

Preface

Risk management is one of those concepts where many business professionals will agree that, “Yes, we need a good risk management program!” but those same professionals often have difficulty, when pressed for a better definition, explaining what they mean by the term risk management. For many business professionals, this lack of a consistent understanding of risk management has been similar, until recently, to the earlier lack of a general understanding of the term internal controls. Going as far back as the 1950s in the United States, internal and external auditors as well as many business professionals talked about the importance of good internal controls, but there was no one widely accepted, consistent definition of what was meant by that expression. It was not until the early 1990s with the release of the COSO internal control framework that we have had a consistent and widely recognized definition of internal controls for all enterprises.

Risk management has had a similar history of inconsistent and not always clearly understood definitions. Insurance enterprises had their own definitions of risk management while others, such as credit management, have had a whole different set of definitions and understandings. Project managers had been frequently asked to rate a proposed new effort as high, medium, or low risk without fully understanding the meaning of such a rating. Over past years and until the very recent present, many enterprises including for-profit entities, not-for-profits, or governmental agencies have not had a consistent definition of the meaning of risk management and what was necessary to establish an effective risk management structure or framework. To help with this definition problem, the COSO guidance setting entity1 developed a risk management definition or framework definition called COSO Enterprise Risk Management or COSO ERM. This risk management framework, updated with COSO guidance and published in 2011,2 provides a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.

Similar to our concerns about a better way to look at and understand risk management, enterprises have had similar needs to improve their enterprise governance practices and both regulatory and ethics compliance standards. Although there have always been issues, interests in better enterprise governance and compliance standards first became particularly important at the beginning of this century with the corporate fraud–related failure of the high-flying corporation Enron. This led to the passage of the Sarbanes-Oxley Act (SOx) in the United States and a worldwide interest in enterprise governance and compliance issues. These concerns became even more significant with the worldwide financial recession starting around 2008.

While enterprise risk management is a major focus of this book, governance, risk, and compliance issues are all equally important. Using the initials for each, we frequently refer to these as GRC issues and standards. Enterprises need to build and launch effective GRC processes.

Starting with the letter R of this concept, a major objective of this book is to help business professionals, at all levels from staff internal auditors to corporate board members, to understand risk management concepts and best practices in general and make more effective use of the COSO ERM risk management framework. Using the COSO ERM framework's model and terminology, we will discuss the importance of understanding the various risks facing many aspects of business operations and how to use something called an enterprise's appetite for risk to help make appropriate decisions in many areas of business operations.

COSO ERM concepts are important for all levels of an enterprise. In addition to its applicability for more senior managers, the chapters following will explain how all professionals in an enterprise can make better decisions through use of this COSO ERM framework and its recently released supporting guidance. The COSO ERM framework provides an improved way of looking at all aspects of risk in today's enterprise. This book is designed to help professionals to develop and follow an effective risk culture for many business and operating decisions.

This updated second edition will also discuss effective enterprise governance practices including some of the key regulatory issues currently facing the modern enterprise. Our emphasis is not to just discuss rules and standards but to emphasize effective processes, particularly with an emphasis on using IT tools and processes and utilizing the internal audit function. Also, many of the following chapters will reference an example company that we have called Global Computer Products to help the reader understand the use and practical application of COSO ERM and other effective GRC processes. This hypothetical example company will be described in more detail in the chapters following.

Chapter by chapter, this new second edition covers the following COSO ERM and GRC process description and recommended good practices:

Our second topic in this chapter is risk portfolio management. Any enterprise faces a wide range of different types of risks and potential consequences. In order to effectively manage them, an effective approach is to divide these many and diverse risks into separate portfolios and then to assess and manage the risks on a portfolio basis.

Notes

1. COSO stands for the Committee of Sponsoring Enterprises. Its role will be described in Chapter 1.

2. “Embracing Enterprise Risk Management: Practical Approaches to Getting Started,” COSO, 2011, www.coso.org.

3. ISO stands for the International Organization for Standards, a French language–based authority in Geneva, Switzerland. See www.iso.org.

Chapter 1

Introduction: Enterprise Risk Management Today

Well-recognized or mandated standards are important for effective enterprise governance and management. Compliance with these standards allows the enterprise to demonstrate they are following best practices and complying with regulatory rules. For example, the enterprise's financial statements are audited by an external audit firm to determine whether they are consistent with generally accepted accounting principles (GAAP) in the United States or are fairly stated following international financial reporting standards (IFRS). This financial audit process applies to virtually all enterprises worldwide, no matter their size or enterprise structure. Investors and lenders want an external party—an independent auditor—to examine financial records and attest whether they are fairly stated. In order to attest to these financial statements, that same auditor has to determine that there are good supporting internal controls surrounding all significant financial transactions.

Internal controls cover many areas in enterprise operations. An example here is a separation of duties control where a person who prepares a check for issue to an outside party should not be the same person who approves that check for payment. Two independent people should be involved with the release of checks that take cash from the enterprise. This is a common and well-recognized internal control, and many others relate to similar situations where one person or process should always be in a position to independently check the work of another party. Good internal control processes are essential for effective risk management systems in an enterprise.

This introductory chapter briefly looks at an important guidance standard for defining internal control, the Committee of Sponsoring Organizations' (COSO) internal control framework. This COSO guidance has become the worldwide accepted standard for defining internal control in enterprises today. From this internal controls framework the chapter then introduces the similar looking in appearance, but very different, COSO enterprise risk management (ERM) framework, the major topic of many of the chapters in this book.

The chapter will also introduce us to an example company, Global Computer Products, which will be referenced in many examples throughout other chapters. The Global Computer Products hypothetical enterprise is a U.S.-headquartered computer hardware and software products manufacturer with worldwide development and distribution facilities. Although no example can be comprehensive or complete, we will try to use this Global Computer Products example as a vehicle to better understand and implement COSO ERM and governance, risk and compliance (GRC) issues in an enterprise today as well as to use them for implementing effective enterprise practices.

The COSO Internal Controls Framework: How Did We Get Here?

Similar to the many acronyms for products and techniques common in information technology (IT), product and process names are quickly turned into acronyms in the worlds of auditing, accounting, and corporate management. In the IT world, we quickly forget the names, words, or even the concepts that created the acronym and just use the several-letter acronyms. For example, International Business Machines Corporation (IBM) launched a custom software product for just one customer called the Customer Information Control System (CICS), back in the old mainframe or legacy computer system days of the early 1970s when IBM needed to develop software to access files in an online basis. Other computer manufacturing competitors at that time had online, real-time software, but IBM did not. IBM's CICS product was enhanced and generalized over the years. It is still around today for legacy systems, and today's users call it “Kicks” as their pronunciation of CICS. The definition or meaning of this acronym has been essentially forgotten and CICS has now become an IT “word.”

The internal control guidance-setting organization, COSO, is a similar example with an abbreviated name standing for the Committee of Sponsoring Organizations of the Treadway Commission. Of course, an explanation of that COSO name does not offer much help—who is this committee, what are they sponsoring, and what is the Treadway Commission? To understand how this internal control standard came about, it is necessary to go back to the late 1970s and early 1980s, a period when there were many major enterprise financial failures in the United States due to conditions including very high inflation, the resultant high interest rates, and some aggressive enterprise accounting approaches. The scope of these failures seems minor today when contrasted with the financial meltdowns of 2009 and 2010 or the financial frauds at the beginning of this century that led to the Sarbanes-Oxley Act (SOx). Financial crises will always be with us, and a concern back in the 1970s was that several major corporations suffered a financial collapse even though their recently published audited financial reports, signed by their external auditors, showed both adequate earnings and good financial health. Some of these failures were caused by fraudulent financial reporting, but most turned out to be victims of the high inflation and resultant high interest rates during that period. It was not uncommon for many companies that failed to have issued fairly positive annual reports despite the bad news about to come. This also was another period of high regulatory activity in the United States and some members of Congress drafted legislation to “correct” these business or audit failures. Congressional hearings were held, but no legislation was ever passed. Rather, a private professional group, called the National Commission on Fraudulent Financial Reporting, was formed to study the issue. Five U.S. professional financial organizations sponsored this National Commission: the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the Financial Executives Institute (FEI), the American Accounting Association (AAA), and the Institute of Management Accountants (IMA). Named after its chair, SEC Commissioner James C. Treadway, the authority adopted as its official name The Committee of Sponsoring Organizations of the Treadway Commission. Today, that group has become known by its acronym name, COSO.