Page 44 - COSO Guidance
P. 44
4 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
differences, even if the scope of application of a C&E program Figure 1.1 The COSO 2013 Framework
may differ (i.e., limited to bribery and corruption in some
jurisdictions and broader application in others). The common
thread across these various guides is a shared appreciation
for the elements on which this COSO guide is based.
The relationship between compliance, internal
control, and enterprise risk management
COSO defines internal control in Internal Control – Integrated
Framework (2013) and Enterprise Risk Management –
Integrating with Strategy and Performance (2017) as follows:
A process, effected by an entity’s board of directors,
management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives relating
to operations, reporting, and compliance. Source: COSO Internal Control Framework ©2013
COSO defines ERM as follows:
As this definition clearly points out, internal control is not
solely about accounting and financial matters. Compliance The culture, capabilities, and practices, integrated
with laws and regulations is one of the three fundamental with strategy-setting and its performance, that
objectives of an organization’s system of internal controls. organizations rely on to manage risk in creating,
The following five components of internal control support all preserving, and realizing value.
three categories of objectives:
The COSO ERM framework, like the internal control
• Control environment framework, comprises five interrelated components:
• Risk assessment
Governance & culture
COSO Infographic with Principles
• Control activities
Strategy & objective-setting
• Information and communication
Performance
• Monitoring activities
Review and revision
The relationships between the three objectives, five
components, and the entity are depicted in figure 1.1: Information, communication, and reporting
Figure 1.2 Risk Management Components
ENTERPRISE RISK MANAGEMENT
MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
FORMULATION
Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,
& Reporting
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
Culture, and
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk
Commitment Objectives 14. Develops Portfolio Management Performance
to Core Values View
5. Attracts, Develops,
c oso . or g
and Retains Capable
Individuals
