Uusi ISO 31000 –standardi ja

muita riskienhallinnan

työkaluja

COSO ERMin ja ISO 31000:n yhteiskäyttö –

painotukset käytännössä

Christian Liljeström, KPMG Oy

18.4.2018

1© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

ISO 31000 and COSO ERM – a comparisonchristian.liljestrom@kpmg.fi—SRHY 18.4.2018

2© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Basic facts

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to combat corporate fraud, established in the US by five private sector organizations, dedicated to organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting

• Updated June 2017, previous version 2004.

• 176 pages* Supported by a number of other documents (coveringe.g. Risk Assessment in practice, ERM for CloudComputing, ERM and Risk Appetite, KRIs,…)

• The International Organization for Standardization is an independent organization, the members of which are the standards organizations of the 162 member countries. It facilitates world trade by providing common standards between nations (ISO 31000; ISO’s technical committee on risk management)

• Updated February 2018, previous version from 2009

• 17 pages* Supported by the ISO.IEC 31010:2009 – Risk management – Risk assessment techniques

c• SFS-ISO 31000:2018 - Risk

management. Guidelines* Enterprise Risk Management – Integrating with Strategy and Performance*

3© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

To whom do the frameworks address themselves?

Text in the ERM document:“Enterprise Risk Management—Integrating with Strategy and Performance provides a Framework for boards and management in entities of all sizes.”“…every entity - whether for-profit, not-for-profit, or governmental - …”

Separate ISO31000 flyer:“ISO 31000 is applicable to all organizations, regardless of type, size, activities and location, and covers all types of risk. It was developed by a range of stakeholders and is intended for use by anyone who manages risks, not just professional risk managers..”

Text in the standard: “This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance”

On COSO homepage/FAQ: “The Original Framework (2004) is intended to help risk practitioners, business leaders, and assurance providers by offering a comprehensive discussion of the components and principles of the Framework from strategy setting through to execution.”

4© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Why where the frameworks changed?

• Through that period the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting.

• This update addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.

• All ISO standards are reviewed every five years and then revised if needed

• A revised version was published to take into account the evolution of the market and new challenges faced by business and organizations since the standard was first released

• One example of this is the increased complexity of economic systems and emerging risk factors such as digital currency, both of which can present new and different types of risks to an organization on an international scale.

Largely same reasons for updates are quoted in the both frameworks

Explanations for change: Explanations for change:

5© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

What are the main changes (1/3)?Similarities ISO31000

rationales for changeCOSO ERM ratio-nales for change

• More emphasis on strategy

• Focus on value creation

• Stakeholders included better

• Alignment throughout organization

• Provides more strategic guidanceand places a greater focus on creating value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors.

• The revised standard now also recommends that risk management to be part of the organization’s structure, processes, objectives, strategy and activities.

• Provides greater insight into the value of enterprise risk management when setting and carrying out strategy

• Expands reporting to address expectations for greater stakeholder transparency.

• Enhances alignment between performance and enterprise risk management to improve the setting of performance targets and understanding the impact of risk on performance.

• Involve all levels of management

• Places more emphasis on both theinvolvement of senior management and the integration of risk management into the organization.

• Sets out core definitions, components, and principles for all levels of management involved in designing, implementing, and conducting enterprise risk management practices.

Similar and related reasons mentioned for the renewal of the documents:

6© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

What are the main changes (2/3)?Similarities ISO31000

rationales for changeCOSO ERM ratio-nales for change

• More governance requirements

• This includes the recommendation to develop a statement or policy that confirms a commitment to risk management, assigning authority, responsibility and accountability at the appropriate levels within the organization and ensuring that the necessary resources are allocated to managing risk.

• Accommodates expectations for governance and oversight.

• External environment emphasized

• The content has been streamlined to reflect an open systems model that regularly exchanges feedback with its external environment in order to fit a wider range of needs and contexts.

• Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies.

• Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity.

Similar and related reasons mentioned for the renewal of the documents:

7© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

What are the main changes (3/3)?Dissimilarities ISO31000

rationales for changeCOSO ERM ratio-nales for change

• Clearer approach • The key objective is to make things clearer and easier, using plain language to define the fundamentals of risk management in a way that the reader will find easier to comprehend.

• More concise terminology • The terminology is now more concise, with certain terms being moved to ISO Guide 73, Risk management –Vocabulary, which deals specifically with risk management terminology and is intended to be used alongside ISO 31000. Work has commenced on terminology standard and implementation handbook to further enhance the understanding and applicability of the standard.

• Accomodate new technologies and data&analytics

• Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-making.

Unique reasons for renewal of the documents::

8© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Wordcount on a few selectionsFind the wording…

”strateg” - 8 hits - 560 hits

”value” - 12 hits - 170 hits

”risk appetite” - 0 hits* - 230 hits

*Risk criteria explanation partly accommodates the risk appetite

9© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Structure “one-pagers”ISO 31000: Principles, Framework, Process COSO ERM: Components and Principles of

Enterprise Risk Management:

• Governance&culture• Strategy&Objective setting• Performance• Review&Revision• Information, communication and

reporting

• Principles: Value creation and protection • Framework: Leadership and commitment• Process

10© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

ISO covers risk management and COSO enterprise risk management

Key definitions ISO31000 COSO ERM

Risk = Effect of uncertainty on objectives

= The possibility that events will occur and affect the achievement of strategy and business objectives

ISO: Risk management

COSO: Enterprise riskmanagement

= Coordinated activities to direct and control an organization with regard to risk

= The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value

11© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

COSO ERM components and principles COSO ERM Framework Components Principles• Governance&culture 1. Exercises Board Risk Oversight

2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values5. Attracts, Develops, and Retains Capable Individuals

• Strategy& Objective setting 6. Analyzes Business Context7. Defines Risk Appetite8. Evaluates Alternative Strategies9. Formulates Business Objectives

• Performance 10. Identifies Risk 11. Assesses Severity of Risk12. Prioritizes Risks13. Implements Risk Responses14. Develops Portfolio View

• Review&Revision 15 Assesses Substantial Change16. Reviews Risk and Performance17. Pursues Improvement in Enterprise Risk Management

• Information, communi-cation and reporting

18. Leverages Information and Technology19. Communicates Risk Information’20. Reports on Risk, Culture, and PerformanceExecutive

12© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

ISO components and partsISO 31000Components Parts

• Principles; creation and protection of value

• Integrated• Structured and comprehensive• Customized• Inclusive• Dynamic• Best available information• Human and cultural factors• Continual improvement

• Framework; Leadership and commitment

• Integration • Design

• Understanding the organization and its context • Articulating risk management commitment • Assigning organizational roles, authorities, responsibilities and accountabilities • Allocating resources• Establishing communication and consultation

• Implementation • Evaluation

• Adapting• Continually improving

• Improvement

• Process • Communication and consultation• Scope, context and criteria• Risk assessment• Risk treatment• Monitoring and review• Recording and reporting

13© 2018 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

A rough comparison of the detailed contentCOSO ERM Framework (106 pages)

1. Exercises Board Risk Oversight2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values5. Attracts, Develops, and Retains Capable Individuals

6. Analyzes Business Context7. Defines Risk Appetite*8. Evaluates Alternative Strategies9. Formulates Business Objectives

10. Identifies Risk 11. Assesses Severity of Risk12. Prioritizes Risks13. Implements Risk Responses14. Develops Portfolio View

15 Assesses Substantial Change16. Reviews Risk and Performance17. Pursues Improvement in Enterprise Risk Management

18. Leverages Information and Technology19. Communicates Risk Information’20. Reports on Risk, Culture, and Performance

* risk criteria partly used in this context in ISO

= COSO ERM only

= COSO ERM and ISO 31000 same meaning/content

= COSO ERM and ISO 31000 a little same meaning/content

= COSO ERM and ISO 31000 some same meaning/content

= COSO ERM and ISO 31000 mostly same meaning/content

Thank you!