1
COSO ERM Update
– Applying the New
Framework
Paul J. Sobel, CIA, QIAL, CRMA
COSO Chairman
Chief Risk Officer – Georgia-Pacific
2
Focus of Presentation
• Market Acceptance of the COSO ERM Framework
• Using COSO ERM to Evaluate and Advance Risk
Management
• COSO/WBCSD Joint ESG Guidance
• Other Guidance Updates
4
Links to Strategy Are Better Understood
The possibility of strategy and business objectives not aligning with mission, vision and values
The implications from the strategy chosen
Risk to executing the strategy
Explores strategy from three different perspectives:
5
Emphasis on Culture is Resonating
Addresses the growing focus, attention and importance of culture within enterprise risk management
Explores culture within the broader context of overall core values
Depicts culture behavior within a risk spectrum
Explores the possible effects of culture on decision making
6
Still Questions on Links to Internal Control
The document does not replace the 2013 Internal
Control – Integrated Framework
The two frameworks are distinct and complementary
Both use a components and principles structure
Aspects of internal control common to enterprise risk
management are not repeated
Some aspects of internal control are developed
further in this framework
7
Compendium of Examples The compendium illustrates:
• All principles
• A variety of entity sizes from global through to national, regional, and local entities
• Actual company practices and augmented with expected practices in select areas, as needed
• An ERM perspective from the business mindset
9
Evaluating and Advancing ERM
• Start with education
–Components and principles
–Role of ERM in strategic planning and value creation
• Evaluate current and desired ERM states:
–Against 20 Principles
–Consider a maturity approach
• Build on a SOX 404 assessment
11
Assessing the Effectiveness of ERM
• Assess current state against 20 principles
–Questions on each principle
–Nature of evidence for each principle
• Identify gaps to desired level for each principle
• Determine actions to close gaps
–Short-term
–Long-term
12
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Asset price collapse Extreme weather events
Slowing Chinese economy (<6%)
Failure of climate-change mitigation and adaptation
Chronic disease Natural disasters
Global governance gaps Data fraud or theft
Retrenchment from globalization
Cyberattacks
Asset price collapse Weapons of mass destruction
Retrenchment from globalization (developed)
Failure of climate-change mitigation and adaptation
Oil and gas price spike Extreme weather events
Chronic disease Water crises
Fiscal crises Natural disasters
To
p 5
Glo
ba
l R
isks:
like
liho
od
To
p 5
Glo
ba
l R
isks:
imp
act
Economic Environmental Geopolitical Societal Technological Source: WEF 2019
The Global Landscape Continues to Shift
13
Companies have been Impacted by the Changing Business Context
1970s 1980s 1990s 2000s 2010 2011 2012 2013 2014 2015 2016 2017 2018
15
How Can This Guidance Help?
• Enhanced resilience
• A common language for articulating ESG-
related risks
• Improved resource deployment
• Enhanced pursuit of ESG-related
opportunities
• Realized efficiencies of scale
• Improved disclosure
16
Potential Updates to Existing Guidance
• Monitoring Guidance
• Understanding and Communicating Risk Appetite
• Practical Approaches to Creating and Protecting
Organizational Value
• COSO in the Cyber Age
17
Potential New Guidance
• Using COSO ERM to Manage Compliance Risks
• Blockchain and its Impact on Internal Controls and Implications for
ERM
• Psychology and Sociology of Fraud
• Assessment Tools for Risk
• Robotic Process Automation and Artificial Intelligence (no known
authors at this time)
18
Summary
• COSO ERM seems to be getting traction in the marketplace
• The five components and 20 principles can help assess the
effectiveness of ERM
• New ESG guidance may be helpful
• Pipeline of guidance starting to fill up
19
Paul J. Sobel, CIA, QIAL, CRMA
COSO Chairman
www.coso.org