Alinhamento das Iniciativas em Gestão de Riscos (COSO, ISO 31000, RIMS, IFAC...)

Vincent Tophoff, IFACInternational Federation of Accountants

David Landsittel, COSOCommittee of Sponsoring Organizations

Gigi Dawe, CPA ROGBCanada Risk Oversight and Governance Board

Carol Fox, RIMSThe Risk Management Society

Julia Graham, FERMA & IFRIMAFederation of European Risk Mgmt AssocInt’l Federation of Risk and Insurance Mgmt Assoc.

Jan Mattingly, ISO 31004 Work GroupInternational Standards Organization

2

Page 3 | Confidential and Proprietary Information

Pursuing Global Alignment of Risk Management Guidelines

Vincent Tophoff, International Federation of Accountants (IFAC)

COSO, IFAC, ISO, RIMS, and ROGB Panel Discussion and Networking Event

Chicago

September 24, 2013


International Federation of Accountants

The International Federation of Accountants (IFAC) is:• The global organization of the accountancy profession• 164 member bodies and associates in 125 countries• 2.5 million professional accountants in public practice,

commerce, industry, financial services, the public sector, education, and the not-for-profit sector

• Public interest focused More than half are in this box. We call them PAIBs and the PAIB Committee exists to support them


International Federation of Accountants

What IFAC does:• Establish and promote adherence to high quality

professional standards • Further adoption and implementation of standards• Support the global development of the accountancy

profession• Provides a global voice and promotes the value of

professional accountants worldwide• Helps its members support professional accountants

in business and small and medium practices


Professional Accountants in Business

• Supports professional accountants in following areas:– Governance and ethics– Risk management and internal control– Sustainability and corporate responsibility– Financial and performance management– Business reporting– Promoting and contributing to the value of professional accountants

• All areas of critical importance to professional accountants (and for risk managers too…)


Bad vs. Good RM/IC Practices

There has been an overwhelming load of bad practice:– RM/IC as objective in itself vs. RM/IC to achieve objectives– Auditor / staff driven vs. Board and management driven– Rules-based vs. Principles-based– Of the shelf systems vs. Tailor made– Focused on threats only vs. Also focused on opportunities– Mainly hard controls vs. Social / human aspects– Artificially implemented vs. Organically implemented– Stand-alone / “bolt-on” vs. Integrated / ”built-in”– Static, out-of-date vs. Dynamic, evolving– Creates costs vs. Creates results / value– Abandoned vs. Supported


• Global Crisis, according to IFAC research, caused by:– Ethical flaws– Governance, RM/IC in name, but not in spirit– Regulatory overload, leading to legalistic compliance– Risk & control systems too narrowly focused on only financial

reporting controls

• Conclusions from the crisis:– Organizations should take a broader approach in risk management

and internal control – Appropriate application of risk management and internal control

standards and principles is often the problem

Global Crisis


Emerging Trends

Respondents to the IFAC Global Survey on Risk Management & Internal Control recommended the following :

• Emphasize the benefits of (more integrated) risk management and internal control

• Bring various risk management and internal control standard setting organizations (e.g., COSO, ISO 31000, the Risk Oversight & Governance Board, etc.) and their guidelines closer together

• Collaborate with experts on developing practical application guidance for (integration of) risk management & internal control


COSO ERM vs. ISO 31000

COSO ISO 31000

Lengthy vs. ShortFocused on ERM vs. General approach to managing riskOne cube vs. Framework and processSkewed to negative vs. Risk can be positive or negativeRisk already exists vs. Risk tied to achieving objectivesRisk & opportunities vs. Opportunities also source of riskMore sequential process vs. More iterative process

Many entities use both COSO ERM & ISO 31000…

… Biggest challenge is that concepts not aligned

Too short, however, to really understand


Next step > Further Global Alignment of Guidelines

• IFAC facilitates further global alignment of risk management and internal control guidelines

• Through bringing various risk management and internal control standard setting organizations (and their guidelines!) closer together

• As per the outcomes of our survey!

• And now over to you…


• For further information please contact: • Vincent Tophoff at [email protected]• Visit www.ifac.org

Recent COSO Internal Control and Risk Management Developments

IFAC and ISO Panel DiscussionSeptember 24, 2013

David L. LandsittelFormer Chair - COSO

About COSO• Formed in 1985 to sponsor a group to make

recommendations on Fraudulent Financial Reporting • A joint initiative of five private sector organizations: ▫ American Accounting Association (AAA)▫ American Institute of Certified Public Accountants

(AICPA) ▫ Financial Executives International (FEI)▫ Institute of Management Accountants (IMA)▫ The Institute of Internal Auditors (IIA)

COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”

COSO’s Fundamental PrincipleGood risk management and internal control are necessary for long term success of all organizations

Mission

COSO’s Three Areas of Focus1. Internal Control

2. Enterprise Risk Management

3. Fraud Deterrence

1985

1990 1995 2000 2005 2010

1987: TreadwayCommission Report

1992: Internal Control –Integrated Framework

1999: Fraud Study I -Fraudulent FinancialReporting: 1987-1997

2004: Enterprise RiskManagement Framework

2006: Guidance for Smaller Businesses onInternal Control over Financial Reporting

2009: Guidance onMonitoring InternalControl Systems

1996: Internal ControlIssues in Derivatives

2010: Fraud Study II -Fraudulent FinancialReporting: 1998-2007

2010-2013: Recent ERM thought papers on current issues

Timeline

COSO Internal Control Framework

• First published in 1992

• Gained wide acceptance following

financial control failures of early 2000’s

• Most widely used framework in the US

• Also widely used around the world – translated into 7 languages

ICIF WorksWell Today

COSO’s Internal Control–Integrated Framework (1992 Edition)

COSO’s Internal Control–Integrated Framework (2013 Edition)

Reflect changes in

business & operating

environments

Updates Context

Expand operations and

reporting objectives

Broadens Application

Articulate principles

to facilitate effective

internal control

Clarifies Requirements

Why Update What Works?

Enhancements

UpdateObjectives

ICIF Will Work Better

Tomorrow

Project Plan & Timetable

Assess & Survey

Stakeholders

Design & Build

Public Exposure & Assess

Finalize

2010 2011 2012 2013

Project Participants

COSO Board of Directors

COSO Advisory Council

• AICPA• AAA• FEI• IIA• IMA• Public Accounting Firms• Regulatory observers• Others (IFAC, ISACA, others)

PwCAuthor and Project Leader

Stakeholder Input

•Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework

•Public Exposures of updated Framework draft and supporting documents

•Webcasts, round tables, direct correspondence via [email protected] et al

Summary of Updates…

What is not changing... What is changing...

1. Definition of internal control

2. Five components of internal control

3. The fundamental criteria used to assess effectiveness of systems of internal control

4. Use of judgment in designing and implementing controls and in evaluating the effectiveness of systems of internal control

1. Updated to reflect the current business environment

2. Formalized fundamental concepts underlying the five components as principles

3. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives

4. Increased focus on operations and compliance objectives based on user input

23

Summary of UpdatesA changing business environment... Drives updates to the Framework...

Expectations for governance oversight

Globalization of markets and operations

Changes in business models

Demands and complexity of rules, regulations and standards

Expectations for competencies and accountabilities

Use and reliance on evolving technology

Expectations for preventing and detecting fraud

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability

6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change

10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures

13. Uses relevant information14. Communicates internally15. Communicates externally

16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies

17 Principles of the Updated ICIF

Control Environment

Update Articulates Principles of Effective Internal Control

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Project Deliverables: Internal Control-Integrated Framework

• Consists of three volumes:▫ Executive Summary▫ Framework and Appendices▫ Illustrative Tools: Assessing

Effectiveness of a System of Internal Control

• Sets out: ▫ Definition of internal control▫ Categories of objectives▫ Components of internal control

and related principles and points of focus

▫ Requirements for Effectiveness

Project Deliverables: Internal Control over External Financial Reporting: A Compendium

• Provides approaches and Examples illustrating how principles are applied in preparing financial statements for external purposes

• Is relevant for variety of entities – public, private, not-for-profit, and government

• Is consistent with and does not modify the updated Framework

The ERM Framework

• Published in 2004• Based upon a framework

with similarities to the COSO 92 framework

• Widely recognized, but not as widely adopted as COSO 92

• Implementation not as robust as COSO 92

Some Current ERM Challenges• Uneven support to adopt any formal risk management

process

• Less than robust ERM implementation

• Difficulty “getting started” with ERM implementation

• Difficulty aligning ERM with top management view

• Inadequate board oversight of risk management – and regulatory pressure mounting for better oversight

• Immature development of risk appetite

• Failure to consider low likelihood but high impact risks –overconfidence

COSO ERM ResponseOur objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process

30

Publication of a series of thought papers

COSO ERM “Thought Papers”

31

• Four Papers issued in 2009 surveying ERM practices – and particularly practices and recommendations related to board of director oversight

• Four Papers in 2011 and 2012 focusing on difficult ERM process implementation issues:▫ “Getting Started”▫ Developing Key Risk Indicators▫ Understanding and Communicating Risk Appetite▫ Risk Assessment Practices

• Two Papers in 2012-2013 dealing with applying ERM to current Management issues:▫ “Cloud” Computing Risks▫ Sustainability Risks

• A Behavioral Paper in 2012 dealing with Judgment Biases

Questions or Comments?

Thank You!

David Landsittelwww.coso.org

CPA Canada Risk Oversight and Governance Board Role in Risk

GIGI DAWE.PRINCIPAL, GOVERNANCE, STRATEGY AND RISK

• Chartered professional Accountants of Canada, through its Risk Oversight and Governance Board (ROGB), develops guidance materials for boards of directors and senior officers

• As such, our focus is on the oversight of enterprise risk, vs. risk management.

• Our goal is to offer unique support specifically for directors that supports the activities of management

Role of CPA Canada’s ROGB in Risk

• Twelve year ago the ROGB began the 20 Questions series for directors – concise, practical guidance

• The 20 Questions series address subjects important to directors by posing questions that directors may ask of management, advisors, or themselves

• A brief summary of current thinking and some recommended practices are provided for each question


Issues

• Insufficient time spent on risk oversight – and on risk management

• Limited knowledge of the organization and risks associated

• Lack of clarity – board / management role• Limited knowledge of finance• Excessive reliance on management / few advisors• No system in place to manage risks or to

communicate them to the board

• In 2012 the ROGB published A Framework for Board Oversight of Enterprise Risk – a slightly different, more “prescriptive” approach

• Intended to support management use of COSO, ISO-31000 or other

• Feedback from directors – very positive – unique, usable, new

• Feedback from risk managers – “keep out” – made changes for more support


Risk Oversight Framework

• Oversight of the risk management systems and processes by the board including continuously reviewing both the planning and outcomes of such processes.

• Propose the board needs to play a more active and direct role in the oversight of risk

• Boards need to much better understand their role

• Like this group we want to support international efforts and provide CPAs a picture of international initiatives

• Want to ensure that any director materials are aligned with risk management

• We will vary delivery methods

Where are we going?

© 2013 Risk and Insurance Management Society, Inc. All rights reserved.

41Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.

RIMS MissionTo advance risk management for your organization’s success

As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals located in over 60 countries. For more information on RIMS, visit www.RIMS.org.


Involved in Standards Development

RIMS Approved as Accredited Standards Organization by American National Standards Institute 7/15/2011

NEW YORK (July 15, 2011) — RIMS today announced that it has been approved as an accredited standards development organization by the American National Standards Institute (ANSI) Executive Standards Council. This status will increase RIMS’ profile in the standards and practices arena by enabling it to take a lead role in shaping and developing risk management standards.

Collaborating with other associations and SDOs on standards development


Attributes Seven core areas of ERM that drive effectiveness Compatible with various specialized frameworks

Risk competency measurement 25 factors and 68 indicators Objective evaluation criteria Key issues that differentiate maturity levels

Maturity levels Five maturity levels Detailed descriptions unique for each attribute Measure to help reach goals for improvement

Benchmarking with more than 2,000 organizations Standing in peer group Highlights ERM trends and priorities

RIMS Risk Maturity Model™w

ww

.rim

s.or

g/re

sour

ces/

ERM

/Pag

es/R

iskM

atur

ityM

odel

.asp

x

Complements multiple standards and frameworks


Research Using RIMS Risk Maturity Model

ERM-based approach ERM process management Risk appetite management Root cause discipline Uncovering risks Performance management Resiliency and sustainability

Non Existent Ad hoc Initial Repeatable

LeadershipManaged


Executive Reports


Executive Reports


RIMS Strategic Risk Management Framework

Strategic risk management (“SRM”) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.

Also complements multiple standards and frameworks


Webinars on ERM and SRM


Surveys


Understanding Expectations

Q: What are the top two areas of improvement to help senior management and board more fully understand the risk landscape of your organization?

Source: Marsh/RIMS Excellence in Risk Management 10


Risk Appetite and Risk Tolerance

Q: Has your organization developed formal enterprise-level risk appetite and/or risk tolerance statements?

Source: Marsh/RIMS Excellence in Risk Management 10


Surveys

Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved.

Q: To what extent has your organization adopted an enterprise risk management (ERM) program?


Who Is Primarily Responsible for ERM?

Source: RIMS 2013 Benchmark SurveyProduced by Advisen


Standards or Frameworks Used

Source: RIMS 2013 Benchmark SurveyProduced by Advisen

ISO 31000 up 5% from 2011

COSO up 2% from 2011

Q: Our program is most closely aligned with …

www.rims.org

Carol Fox, ARMDirector of Strategic and Enterprise Risk Practice+1 [email protected]

FERMAThe Federation of Risk Management Associations

56

57

Mission and Objectives

FERMA Alliances

Represents 22 national risk management associations 20 countries who have individual members Partners with other associations where mutual interest:

European Confederation of Institutes of Internal Auditing (ECIIA) European Confederation of Directors Associations (ecoDA) Insurance intermediaries association (BIPAR) European Insurance Law association (AIDA)

FERMA strengthens the voice of risk management in Europe by increasing contacts with their members and through joint representation to the European Commission

Promotes the profession of risk manager by encouraging the development of risk management education and qualifications and support for young risk managers

58

FERMA Certification of Risk Managers

A European professional Certification framework in order to value the Risk Manager’s function with more credibility, visibility and recognition.

The ambition is for the Certification to be recognized by Risk Managers, Insurance Managers and more broadly all the functions involved in the 1st and 2nd lines of defence as the European leading reference in Risk Management.

FERMA aims at balancing expenses on a medium term, not to make profit on the certification activity

Two levels: Passport Professional

Develop a body of knowledge A number of potential global and European partners

59

Leadership in Risk Management C-Suite supervision of risk management increasing and there is increasingly a

role for leadership of risk management The majority of companies have education and review processes in place that

keep the C-suite informed about risk exposures Most think communication between the C-Suite and the "CRO" could be better Companies aspire to improve the link between risk management and strategic

planning Risk management has some way to go to use the risk management function for

making more effective strategic decisions Risk-based incentives as part of remuneration slow Brand and reputation rising concerns Some executives and "experts" cite lack of risk management talent as an

important area especially in emerging products and markets Processes to define risk appetite now in place at nearly half of the companies

60

Leadership in Risk Management – Zurich, Harvard, FERMA and PRIMO 2013

FERMA Forum

Maastricht 29 September – 2 October 1500 professionals in risk management and insurance Panels, Workshops and Master Classes Global subject matter leaders Demonstration of tools and techniques Promotion of young professionals and Diversity Affiliation meetings including IFRIMA

61

62

63

Julia Graham Director of Risk Management and Insurance

T +44 20 7796 6428 F +44 207 796 6594 M +44 7968 558 898 E [email protected]

Exploring Common Paths in Risk Management

Risk Management Perspectives in ISO Standardization Experience

65

Overview Risk Management Standards & ISO Development challenges and successes Looking Ahead: exploring shared

perspectives

66

ISO Standards Development –An Opinion

Governance structures, directives, tools and guidance exist to support standards development

There are various types of standards’ products Development process has many checks and

balances to ensure country and stakeholder feedback: it ain’t perfect!

All work is done by volunteers nominated by their national technical committee and endorsed by each country’s national standards bodies: discussion can be colorful, exciting and heated!

Developing products takes time because of the create-feedback-review cycle:

67

ISO Standards & Risk ManagementThe ISO community is very gradually moving

towards harmonization in risk management expectations, terminology but progress is slow, still fragmented◦ ISO 31010◦ Guide 73◦ ISO 22301◦ Etc.

Within the ISO context Technical Committee 262 is seen as a natural home for risk management but it is only ONE ISO home. ISO is at the early stage of harmonization on risk management activity.

68

Sample Successes Publication of ISO 31000 in 2009 – Risk

Management Principles and Guidelines◦ Globally popular◦ Early feedback that it has helped

Update of Guide 73 – Risk Management Terminology in 2009

Technical Committee established 2012 by ISO’s Technical Management Board

Liaisons established with some other ISO committees to help harmonize risk management expectations, etc.

Upcoming publication of ISO 31004 – Guidance for Implementation of ISO 31000: October 2013

69

Challenges Understanding who our primary audience is and

is not Communicating the value of the risk

management standard Streamlining standards development processes Applying good practices in engaging and

monitoring stakeholders throughout development

Promoting regional cooperation Varying capacities of standards bodies Risk management as a lever for innovation

70

Looking Ahead – Exploring Shared Perspectives

1. Coherent expectations: Would it be helpful to organizations to have a coherent understanding of what is expected as part of ‘good risk management practice’?

2. Better practice in risk management: can we share and consolidate our knowledge to help organizations

3. Roles/Responsibilities: can we help organizations with a common approach to establishing who does what? (See attached sample)

71

Framework Design: Clarifying Who Does What

(Sample Organization)

(Based on the Institute of Internal Auditors Position Paper www.theiia.org)

Core internal audit roles in regard to ERM

Legitimate internal audit roles with safeguards

Roles internal audit should not undertake

Proposed Planning role

Audit/evaluation Role

Risk Oversight Role

Proposed ERM Leadership Roles

Proposed Business Unit Role

Legal

Legend

The adaptation and use of this graphic as a tool for ERM design and implementation is copyrighted to RiskResults Consulting Inc. 2010 ©

72

Conclusion We have similar

challenges◦ Value proposition of our

respective auditing and risk management functions

We have a major common objective◦ helping organizations to

achieve their objectives

One Road: How can we pull together, on what topics, to help organizations worldwide improve

performance?

Jan MattinglyRiskResults Consulting Inc.www.riskresults.caT/M: 613-286-6885Email: [email protected]

Date post:	15-May-2015
Category:	Business
Upload:	qsp-centro-da-qualidade-seguranca-e-produtividade
View:	3,027 times
Download:	0 times