coso enterprise risk management: establishing effective ... · pdf filemanagement establishing...

15

Upload: dangdan

Post on 05-Feb-2018

233 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,
Page 2: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 2

Page 3: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 1

COSO Enterprise RiskManagement

Page 4: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 2

Page 5: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 3

COSO Enterprise RiskManagement

Establishing Effective Governance,Risk, and Compliance Processes

Second Edition

ROBERT R. MOELLER

John Wiley & Sons, Inc.

Page 6: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 4

Copyright# 2007, 2011 by John Wiley & Sons, Inc. All rights reserved. First edition 2007

Second edition 2011

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

‘‘PMI’’ and ‘‘PMBOK’’ are registered marks for the Project Management Institute, Inc.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any

form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise,

except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without

either the prior written permission of the Publisher, or authorization through payment of the

appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers,

MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com.

Requests to the Publisher for permission should be addressed to the Permissions Department,

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-

6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts

in preparing this book, they make no representations or warranties with respect to the accuracy or

completeness of the contents of this book and specifically disclaim any implied warranties of

merchantability or fitness for a particular purpose. No warranty may be created or extended by sales

representatives or written sales materials. The advice and strategies contained herein may not be

suitable for your situation. You should consult with a professional where appropriate. Neither the

publisher nor author shall be liable for any loss of profit or any other commercial damages, including

but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please

contact our Customer Care Department within the United States at (800) 762-2974, outside the

United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in

print may not be available in electronic books. For more information about Wiley products, visit

our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication DataMoeller, Robert R

COSO enterprise risk management : establishing effective governance, risk, and compliance

processes / Robert R. Moeller.—2nd ed.

p. cm.—(Wiley corporate f&a ; 560)

Includes index.

ISBN 978-0-470-91288-1 (hardback); ISBN 978-1-118-10252-7 (ebk);

ISBN 978-1-118-10253-4 (ebk); ISBN 978-1-118-10254-1 (ebk)

1. Risk management. I. Title.

HD61.M568 2011

658.15 05—dc22 2011012021

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

Page 7: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 5

To my wife and very best friend, Lois Moeller

Page 8: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FFIRS 07/02/2011 10:22:33 Page 6

Page 9: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FTOC 06/07/2011 11:36:42 Page 7

Contents

Preface xi

Chapter 1: Introduction: Enterprise Risk Management Today 1

The COSO Internal Controls Framework: How Did We Get Here? 2

The COSO Internal Controls Framework 3

COSO Internal Controls: The Principal Recognized Internal Controls Standard 14

An Introduction to COSO ERM 14

Governance, Risk, and Compliance 15

Global Computer Products: Our Example Company 16

Chapter 2: Importance of Governance, Risk, and CompliancePrinciples 21

Road to Effective GRC Principles 22

Importance of GRC Governance 23

Risk Management Component of GRC 25

GRC and Enterprise Compliance 26

Importance of Effective GRC Practices and Principles 28

Chapter 3: Risk Management Fundamentals 31

Fundamentals: Risk Management Phases 32

Other Risk Assessment Techniques 45

Chapter 4: COSO ERM Framework 51

ERM Definitions and Objectives: A Portfolio View of Risk 51

COSO ERM Framework Model 55

Other Dimensions of the ERM Framework 86

Chapter 5: Implementing ERM in the Enterprise 89

Roles and Responsibilities of an Enterprise Risk Management Function 90

Risk Management Policies, Standards, and Strategies 100

Business, IT, and Risk Transfer Processes 105

Risk Management Reviews and Corrective Action Practices 108

ERM Communications Approaches 112

CRO and an Effective Enterprise Risk Management Function 113

vii

Page 10: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FTOC 06/07/2011 11:36:43 Page 8

Chapter 6: Importance of Strong Enterprise Governance Practices 115

History and Background of Enterprise Governance: A U.S. Perspective 116

Enterprise Integrity and Ethical Behavior 119

Disclosure and Transparency 125

Rights and Equitable Treatment of Shareholders

and Key Stakeholders 126

Governance Role and Responsibilities of the Board 128

Governance as a Key Element of GRC 128

Chapter 7: Enterprise Compliance Issues Today 131

Compliance Issues Today 132

Establish a Compliance Assessment Team 133

Compliance Risk Assessments and Compliance Program Reviews 136

Work Unit–Level Compliance Tracking and Review Processes 138

Compliance-Related Procedures and Staff Education Programs 141

Enterprise Hotline Compliance and Whistleblower Support 142

Assessing the Overall Enterprise Compliance Program 144

Chapter 8: Integrating ERM with COSO Internal Controls 147

COSO Internal Controls Background and Earlier Legislation 147

Efforts Leading to the Treadway Commission 151

COSO Internal Controls Framework 156

COSO Internal Controls and COSO ERM: Compared 174

Chapter 9: Sarbanes-Oxley and Enterprise Risk ManagementConcerns 177

Sarbanes-Oxley Act Background 177

SOx Legislation Overview 179

Enterprise Risk Management and SOx Section 404 Reviews 193

Internal Controls Reporting and Materiality 198

PCAOB Risk-Based Auditing Standards 199

Sarbanes-Oxley: The Other Sections 200

SOx and COSO ERM 201

Chapter 10: Corporate Culture and Risk Portfolio Management 203

Whistleblower and Hotline Functions 204

Risk Portfolio Management 208

Integrated Enterprise-Wide Risk Management 211

Chapter 11: OCEG Capability Model GRC Standards 215

GRC Capability Model ‘‘Red Book’’ 215

Other OCEG Materials: The ‘‘Burgundy Book’’ 223

Level and Scope of the OCEG Standards-Setting Authority 224

viii & Contents

Page 11: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FTOC 06/07/2011 11:36:43 Page 9

Chapter 12: Importance of GRC Principles in the Board Room 225

Board Decisions and Risk Management 226

Board Organization and Governance Rules 230

Corporate Charters and the Board Committee Structure 231

Audit Committees and Managing Risks 235

Establishing a Board-Level Risk Committee 238

Audit and Risk Committee Coordination 244

COSO ERM and Corporate Governance 245

Chapter 13: Role of Internal Audit in Enterprise Risk Management 247

Internal Audit Standards for Evaluating Risk 248

COSO ERM for More Effective Internal Audit Planning 251

Risk-Based Internal Audit Findings and Recommendations 264

COSO ERM and Internal Audit 265

Chapter 14: Understanding Project Management Risks 267

Project Management Process 268

PMBOK1 Guide: A Guide to the Project Management Book of Knowledge 269

PMBOK1 Guide’s Project Manager Risk Management Approach 272

Project-Related Risks: What Can Go Wrong 282

Implementing ERM for Project Managers 285

Chapter 15: Information Technology and EnterpriseRisk Management 291

IT and the COSO ERM Framework 292

IT Application Systems Risks 294

Effective IT Continuity Planning 302

Worms, Viruses, and System Network Risks 307

IT and Effective ERM Processes 309

Chapter 16: Establishing an Effective GRC Culturethroughout the Enterprise 311

First Steps to Establishing a GRC Culture: An Example 312

Promoting the Concept of Enterprise Risk 314

Establishing of Enterprise-Wide Governance Awareness 319

Enterprise Codes of Conduct 323

Building a GRC Culture: Risk, Governance, and Compliance

Education Programs 326

Keeping the GRC Culture Current 327

Chapter 17: ISO 31000 and 38500 Risk ManagementWorldwide Standards 331

ISO Standards-Setting Process 332

Understanding ISO 31000 334

Contents & ix

Page 12: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FTOC 06/07/2011 11:36:43 Page 10

ISO 38500: The Corporate Governance of IT 337

Implementing an ISO Standard 340

Chapter 18: ERM and GRC Principles Going Forward 343

ERM and GRC for the Internal Controls Professional 344

COSO’s Ongoing Support Role 347

COSO ERM and GRC Future Prospects 348

About the Author 351

Index 353

x & Contents

Page 13: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FPREF 06/18/2011 11:18:31 Page 11

Preface

R ISK MANAGEMENT IS ONE of those concepts where many business

professionals will agree that, ‘‘Yes, we need a good risk management pro-

gram!’’ but those same professionals often have difficulty, when pressed for a

better definition, explaining what they mean by the term risk management. For many

business professionals, this lack of a consistent understanding of risk management has

been similar, until recently, to the earlier lack of a general understanding of the term

internal controls. Going as far back as the 1950s in the United States, internal and

external auditors as well as many business professionals talked about the importance

of good internal controls, but there was no one widely accepted, consistent definition

of what was meant by that expression. It was not until the early 1990s with the

release of the COSO internal control framework that we have had a consistent and

widely recognized definition of internal controls for all enterprises.

Risk management has had a similar history of inconsistent and not always clearly

understood definitions. Insurance enterprises had their own definitions of risk

management while others, such as credit management, have had a whole different

set of definitions and understandings. Project managers had been frequently asked to

rate a proposed new effort as high, medium, or low risk without fully understanding

the meaning of such a rating. Over past years and until the very recent present, many

enterprises including for-profit entities, not-for-profits, or governmental agencies

have not had a consistent definition of the meaning of risk management and

what was necessary to establish an effective risk management structure or frame-

work. To help with this definition problem, the COSO guidance setting entity1

developed a risk management definition or framework definition called COSO Enter-

prise Risk Management or COSO ERM. This risk management framework, updated

with COSO guidance and published in 2011,2 provides a structure and set of

definitions to allow enterprises of all types and sizes to understand and better manage

their risk environments.

Similar to our concerns about a better way to look at and understand risk

management, enterprises have had similar needs to improve their enterprise govern-

ance practices and both regulatory and ethics compliance standards. Although there

have always been issues, interests in better enterprise governance and compliance

standards first became particularly important at the beginning of this century with

the corporate fraud–related failure of the high-flying corporation Enron. This led to

the passage of the Sarbanes-Oxley Act (SOx) in the United States and a worldwide

xi

Page 14: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FPREF 06/18/2011 11:18:31 Page 12

interest in enterprise governance and compliance issues. These concerns became even

more significant with the worldwide financial recession starting around 2008.

While enterprise risk management is a major focus of this book, governance, risk,

and compliance issues are all equally important. Using the initials for each, we

frequently refer to these as GRC issues and standards. Enterprises need to build and

launch effective GRC processes.

Starting with the letter R of this concept, a major objective of this book is to help

business professionals, at all levels from staff internal auditors to corporate board

members, to understand risk management concepts and best practices in general

and make more effective use of the COSO ERM risk management framework. Using

the COSO ERM framework’s model and terminology, we will discuss the importance of

understanding the various risks facing many aspects of business operations and how to

use something called an enterprise’s appetite for risk to help make appropriate decisions

in many areas of business operations.

COSO ERM concepts are important for all levels of an enterprise. In addition to its

applicability for more senior managers, the chapters following will explain how all

professionals in an enterprise can make better decisions through use of this COSO ERM

framework and its recently released supporting guidance. The COSO ERM framework

provides an improved way of looking at all aspects of risk in today’s enterprise. This

book is designed to help professionals to develop and follow an effective risk culture

for many business and operating decisions.

This updated second edition will also discuss effective enterprise governance

practices including some of the key regulatory issues currently facing the modern

enterprise. Our emphasis is not to just discuss rules and standards but to emphasize

effective processes, particularly with an emphasis on using IT tools and processes and

utilizing the internal audit function. Also, many of the following chapters will reference

an example company that we have called Global Computer Products to help the reader

understand the use and practical application of COSO ERM and other effective GRC

processes. This hypothetical example company will be described in more detail in the

chapters following.

Chapter by chapter, this new second edition covers the following COSO ERM and

GRC process description and recommended good practices:

& Chapter 1. Introduction: Enterprise Risk Management Today. This intro-

ductory chapter introduces the concept of enterprise risk management and the

related concepts of enterprise governance and compliance standards. We start by

looking at an important standard for defining internal control, the Committee of

Sponsoring Organizations (COSO) internal control framework, a worldwide

accepted set of guidance materials for defining internal control in enterprises

today. From this internal controls framework the chapter then introduces the

similar looking in appearance, but very different, COSO enterprise risk manage-

ment (ERM) framework, the major topic of many of the chapters in this book. We

should note here that the COSO materials are not really standards in the sense of

an SEC-mandated standards requirement, but they are really very strong

xii & Preface

Page 15: COSO ENTERPRISE RISK MANAGEMENT: Establishing Effective ... · PDF fileManagement Establishing Effective Governance, ... COSO enterprise risk management : establishing effective governance,

FPREF 06/18/2011 11:18:31 Page 13

guidance materials. Because they are so pervasive today, we will frequently

reference them as standard practices. The chapter will also introduce us to an

example company, Global Computer Products, which will be referenced for many

examples throughout the book. However, the major objective of this chapter is to

introduce COSO ERM and related governance and compliance principles and how

they have changed since our first edition.& Chapter 2. Importance of Governance, Risk, and Compliance (GRC)

Principles. Events such as the collapse of the energy trading firm, Enron, and

its public accounting firm, Arthur Andersen, and the enactment of the Sarbanes-

Oxley Act (SOx) in 2002 raised a whole series of enterprise GRC issues that had

been previously all but ignored. The collapse of housing markets almost worldwide

during our recent great recession has also focused on needs today for improved

compliance processes. This chapter reviews the elements of effective GRC processes

and discusses why past events such as Enron and the more recent financial crises

have emphasized the growing importance of enterprise governance, risk, and

compliance processes.& Chapter 3. Risk Management Fundamentals. Key concepts and the termi-

nology used in risk assessments are introduced here. These include some of the

basic graphical and probability tools that have been used by risk managers over

time as well as the terminology used for risk transfers and assessments. These

concepts will be helpful in understanding risks in both a quantitative and qualita-

tive sense and in using and understanding COSO ERM. This chapter also will

introduce some of the basic concepts of probability and how they are used to

measure and assess risks.& Chapter 4. The COSO ERM Framework. This chapter discusses some of the

events that led to COSO ERM including ongoing industry and public concerns about

the lack of a consistent definition of internal controls and an uncertainty of the

meaning and concept of risk on an overall enterprise level. We introduce the three-

dimensional model or framework for understanding enterprise risk, COSO ERM,

with its eight vertical components or layers as one model dimension, a second

dimension of four vertical columns covering key risk objectives, and a third

dimension describing the enterprise units in the risk framework. An understanding

of these framework components sets the stage for understanding and using COSO

ERM. The chapter also highlights some of the recent guidance material released by

COSO on how to more effectively implement and use COSO ERM.& Chapter 5. Implementing ERM in the Enterprise. Risk management must be

understood in terms of its strategic, operational, reporting, and compliance

objectives as well how it should be implemented throughout the enterprise,

from an individual business unit to the entire enterprise. Beyond the Chapter 3

discussion of risk management fundamentals and the introduction of COSO

ERM, these are the other two dimensions of this risk management framework,

this chapter discusses these other two elements and how all three relate together.

The idea is to think of enterprise risk management as an overall structure that

will allow managers to understand and manage risks throughout an enterprise.

Preface & xiii